p15693087
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Compare commits

base: p15693087:develop
Branches Tags
p15693087:develop
p15693087:jd003
p15693087:zmt001
p15693087:2269-publish-events-from-zerologon
p15693087:2269-update-nodes-on-exploit
p15693087:2267-add-services-to-machine
p15693087:2269-publish-events-from-smbexec-exploiter
p15693087:2269-publish-events-from-wmi
p15693087:2269-publish-events-from-powershell-exploiter
p15693087:consolidate-agent-event-handlers
p15693087:2269-bb-use-new-api-endpoints
p15693087:2260-fix-mypy-victimhost
p15693087:2260-fix-mypy-fingerprintdata
p15693087:2260-fix-mypy-portscandata
p15693087:v1.13.0-documentation-updates
p15693087:add-shellcheck-to-travis-build
p15693087:add-shellcheck-precommit-hook
p15693087:2121-update-legacy-code-to-standard
p15693087:PROTECTED_token_test
p15693087:mike-demo
p15693087:reduce-appimage-size
p15693087:agent-refactor
p15693087:master
p15693087:release/1.13.0
p15693087:DO-NOT-DELETE_swimm-system-info-collector
p15693087:release/1.12.0
p15693087:release/1.11.0
p15693087:couchdb-exploit
p15693087:release/1.10.0
p15693087:release/1.9.0
p15693087:release/1.8.0
p15670423:master
p15670423:2267-add-services-to-machine
p15670423:develop
p15670423:agent-refactor
p15670423:consolidate-agent-event-handlers
p15670423:jd003
p15670423:zmt001
p15670423:2269-publish-events-from-zerologon
p15670423:2269-update-nodes-on-exploit
p15670423:2269-publish-events-from-smbexec-exploiter
p15670423:2269-publish-events-from-wmi
p15670423:2269-publish-events-from-powershell-exploiter
p15670423:2269-bb-use-new-api-endpoints
p15670423:2260-fix-mypy-victimhost
p15670423:2260-fix-mypy-fingerprintdata
p15670423:2260-fix-mypy-portscandata
p15670423:v1.13.0-documentation-updates
p15670423:add-shellcheck-to-travis-build
p15670423:add-shellcheck-precommit-hook
p15670423:2121-update-legacy-code-to-standard
p15670423:PROTECTED_token_test
p15670423:mike-demo
p15670423:reduce-appimage-size
p15670423:release/1.13.0
p15670423:DO-NOT-DELETE_swimm-system-info-collector
p15670423:release/1.12.0
p15670423:release/1.11.0
p15670423:couchdb-exploit
p15670423:release/1.10.0
p15670423:release/1.9.0
p15670423:release/1.8.0
p15670423:v1.7.0
p15670423:1.7.0
p15670423:zero-trust-demo-2
p15670423:zero-trust-demo-1
p15670423:v1.6.3
p15670423:v1.6.2
p15670423:v1.6.2-old
p15670423:infection_monkey_1.6.1_AWS_only
p15670423:v1.5
p15670423:1.5.2
p15670423:1.6
p15670423:list
p15670423:v1.10.0
p15670423:v1.11.0
p15670423:v1.12.0
p15670423:v1.13.0
p15670423:v1.5.1
p15670423:v1.8.0
p15670423:v1.8.2
p15670423:v1.9.0
..
compare: p15693087:couchdb-exploit
Branches Tags
p15693087:develop
p15693087:jd003
p15693087:zmt001
p15693087:2269-publish-events-from-zerologon
p15693087:2269-update-nodes-on-exploit
p15693087:2267-add-services-to-machine
p15693087:2269-publish-events-from-smbexec-exploiter
p15693087:2269-publish-events-from-wmi
p15693087:2269-publish-events-from-powershell-exploiter
p15693087:consolidate-agent-event-handlers
p15693087:2269-bb-use-new-api-endpoints
p15693087:2260-fix-mypy-victimhost
p15693087:2260-fix-mypy-fingerprintdata
p15693087:2260-fix-mypy-portscandata
p15693087:v1.13.0-documentation-updates
p15693087:add-shellcheck-to-travis-build
p15693087:add-shellcheck-precommit-hook
p15693087:2121-update-legacy-code-to-standard
p15693087:PROTECTED_token_test
p15693087:mike-demo
p15693087:reduce-appimage-size
p15693087:agent-refactor
p15693087:master
p15693087:release/1.13.0
p15693087:DO-NOT-DELETE_swimm-system-info-collector
p15693087:release/1.12.0
p15693087:release/1.11.0
p15693087:couchdb-exploit
p15693087:release/1.10.0
p15693087:release/1.9.0
p15693087:release/1.8.0
p15670423:master
p15670423:2267-add-services-to-machine
p15670423:develop
p15670423:agent-refactor
p15670423:consolidate-agent-event-handlers
p15670423:jd003
p15670423:zmt001
p15670423:2269-publish-events-from-zerologon
p15670423:2269-update-nodes-on-exploit
p15670423:2269-publish-events-from-smbexec-exploiter
p15670423:2269-publish-events-from-wmi
p15670423:2269-publish-events-from-powershell-exploiter
p15670423:2269-bb-use-new-api-endpoints
p15670423:2260-fix-mypy-victimhost
p15670423:2260-fix-mypy-fingerprintdata
p15670423:2260-fix-mypy-portscandata
p15670423:v1.13.0-documentation-updates
p15670423:add-shellcheck-to-travis-build
p15670423:add-shellcheck-precommit-hook
p15670423:2121-update-legacy-code-to-standard
p15670423:PROTECTED_token_test
p15670423:mike-demo
p15670423:reduce-appimage-size
p15670423:release/1.13.0
p15670423:DO-NOT-DELETE_swimm-system-info-collector
p15670423:release/1.12.0
p15670423:release/1.11.0
p15670423:couchdb-exploit
p15670423:release/1.10.0
p15670423:release/1.9.0
p15670423:release/1.8.0
p15670423:v1.7.0
p15670423:1.7.0
p15670423:zero-trust-demo-2
p15670423:zero-trust-demo-1
p15670423:v1.6.3
p15670423:v1.6.2
p15670423:v1.6.2-old
p15670423:infection_monkey_1.6.1_AWS_only
p15670423:v1.5
p15670423:1.5.2
p15670423:1.6
p15670423:list
p15670423:v1.10.0
p15670423:v1.11.0
p15670423:v1.12.0
p15670423:v1.13.0
p15670423:v1.5.1
p15670423:v1.8.0
p15670423:v1.8.2
p15670423:v1.9.0

1 Commits
develop ... couchdb-ex

Author SHA1 Message Date
Ilija Lazoroski 94c2587fee Exploit: Add Apache CouchDB remote code execution exploit 2021-07-22 18:21:04 +02:00
1453 changed files with 47499 additions and 76979 deletions
Show Stats Expand all files Collapse all files

1
.flake8
View File

@ -5,7 +5,6 @@ exclude = monkey/monkey_island/cc/ui,vulture_allowlist.py
show-source = True
max-complexity = 10
max-line-length = 100
per-file-ignores = __init__.py:F401
### ignore "whitespace before ':'", "line break before binary operator" for
### compatibility with black, and cyclomatic complexity (for now).

2
.gitattributes vendored
View File

@ -1,4 +1,4 @@
monkey/tests/data_for_tests/ransomware_targets/** -text
monkey/tests/data_for_tests/test_readme.txt -text
monkey/tests/data_for_tests/stable_file.txt -text
monkey/infection_monkey/payload/ransomware/ransomware_readme.txt -text
monkey/infection_monkey/ransomware/ransomware_readme.txt -text

16
.github/ISSUE_TEMPLATE/04_refactor.md vendored
View File

@ -1,16 +0,0 @@
---
name: "🏗Refactor"
about: Refactor existing code
title: ''
labels: Refactor
assignees: ''
---
# Refactor
## Component(s) to be refactored
-
## Explanation

8
.github/ISSUE_TEMPLATE/06_blank.md vendored
View File

@ -1,8 +0,0 @@
---
name: "📒Blank"
about: A blank issue for anything not covered by another template
title: ''
labels:
assignees: ''
---

0
.github/ISSUE_TEMPLATE/01_bug_report.md → .github/ISSUE_TEMPLATE/Bug_report.md vendored
View File

0
.github/ISSUE_TEMPLATE/03_documentation_request.md → .github/ISSUE_TEMPLATE/Documentation_request.md vendored
View File

0
.github/ISSUE_TEMPLATE/02_feature_request.md → .github/ISSUE_TEMPLATE/Feature_request.md vendored
View File

2
.github/ISSUE_TEMPLATE/config.yml vendored
View File

@ -4,5 +4,5 @@ contact_links:
url: https://join.slack.com/t/infectionmonkey/shared_invite/enQtNDU5MjAxMjg1MjU1LWM0NjVmNWE2ZTMzYzAxOWJiYmMxMzU0NWU3NmUxYjcyNjk0YWY2MDkwODk4NGMyNDU4NzA4MDljOWNmZWViNDU
about: Our community Slack channel - you can ask questions or suggest things here.
- name: FAQs
url: https://www.guardicore.com/infectionmonkey/docs/faq/
url: https://www.guardicore.com/infectionmonkey/faq/
about: Frequently Asked Questions - if you have a question, see if we've already answered it!

0
.github/ISSUE_TEMPLATE/05_spike.md → .github/ISSUE_TEMPLATE/spike.md vendored
View File

15
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@ -1,19 +1,22 @@
# What does this PR do?
# What does this PR do?
Fixes #`put issue number here`.
Fixes #`put issue number here`.
Add any further explanations here.
Add any further explanations here.
## PR Checklist
* [ ] Have you added an explanation of what your changes do and why you'd like to include them?
* [ ] Is the TravisCI build passing?
* [ ] Is the TravisCI build passing?
* [ ] Was the CHANGELOG.md updated to reflect the changes?
* [ ] Was the documentation framework updated to reflect the changes?
* [ ] Have you checked that you haven't introduced any duplicate code?
## Testing Checklist
* [ ] Added relevant unit tests?
* [ ] Have you successfully tested your changes locally? Elaborate:
> Tested by {Running the Monkey locally with relevant config/running Island/...}
> Tested by {Running the Monkey locally with relevant config/running Island/...}
* [ ] If applicable, add screenshots or log transcripts of the feature working
## Explain Changes
Are the commit messages enough? If not, elaborate.

13
.gitignore vendored
View File

@ -59,7 +59,7 @@ coverage.xml
*.log
# Sphinx documentation
/monkey/monkey_island/docs/source/_autosummary
docs/_build/
# PyBuilder
target/
@ -85,7 +85,7 @@ MonkeyZoo/*
monkey/logs
# Exported monkey telemetries
/envs/monkey_zoo/blackbox/tests/performance/telemetry_sample/
/monkey/telem_sample/
# Profiling logs
profiler_logs/
@ -98,12 +98,3 @@ profiler_logs/
# Virtualenv
venv/
# Hugo
.hugo_build.lock
# mypy
.mypy_cache
# MacOS
.DS_Store

3
.gitmodules vendored
View File

@ -1,3 +1,6 @@
[submodule "monkey/monkey_island/cc/services/attack/attack_data"]
path = monkey/monkey_island/cc/services/attack/attack_data
url = https://github.com/guardicore/cti
[submodule "docs/themes/learn"]
path = docs/themes/learn
url = https://github.com/guardicode/hugo-theme-learn.git

23
.pre-commit-config.yaml
View File

@ -1,7 +1,7 @@
default_stages: [commit]
repos:
- repo: https://github.com/pycqa/isort
rev: 5.10.1
rev: 5.8.0
hooks:
- id: isort
name: isort (python)
@ -12,16 +12,16 @@ repos:
name: isort (pyi)
types: [pyi]
- repo: https://github.com/psf/black
rev: 22.3.0
rev: 20.8b1
hooks:
- id: black
- repo: https://gitlab.com/pycqa/flake8
rev: 4.0.1
rev: 3.9.1
hooks:
- id: flake8
additional_dependencies: [dlint]
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.1.0
rev: v3.4.0
hooks:
- id: check-added-large-files
- id: check-case-conflict
@ -31,21 +31,10 @@ repos:
- id: end-of-file-fixer
- id: trailing-whitespace
- repo: https://github.com/eslint/eslint
rev: v8.12.0
rev: v7.24.0
hooks:
- id: eslint
args: ["monkey/monkey_island/cc/ui/src/", "--fix", "--max-warnings=0"]
- repo: https://github.com/pre-commit/mirrors-mypy
rev: v0.971
hooks:
- id: mypy
additional_dependencies: [types-ipaddress, types-paramiko, types-python-dateutil, types-requests]
exclude: "vulture_allowlist.py"
args: [--ignore-missing-imports]
- repo: https://github.com/koalaman/shellcheck-precommit
rev: v0.7.2
hooks:
- id: shellcheck
- repo: local
hooks:
- id: pytest
@ -56,7 +45,7 @@ repos:
exclude: "monkey/monkey_island/cc/ui"
stages: [push]
- repo: https://github.com/swimmio/pre-commit
rev: v0.7
rev: v0.2
hooks:
- id: swimm-verify
- repo: https://github.com/jendrikseipp/vulture

87
.swm/AzD8XysWg1BBXCjCDkfq.swm Normal file
View File

@ -0,0 +1,87 @@
{
"id": "AzD8XysWg1BBXCjCDkfq",
"name": "Add a new configuration setting to the Agent ⚙",
"task": {
"dod": "Make the max victim number that Monkey will find before stopping configurable by the user instead of constant.",
"tests": [],
"hints": [
"Look for `victims_max_exploit` - it's rather similar."
]
},
"content": [
{
"type": "text",
"text": "# Make something configurable\n\nIn this unit, you will learn how to add a configuration option to Monkey and how to use it in the Monkey Agent code. \n\n![computer fire](https://media.giphy.com/media/7J4P7cUur2DlErijp3/giphy.gif \"computer fire\")\n\n## Why is this important?\n\nEnabling users to configure the Monkey's behaviour gives them a lot more freedom in how they want to use the Monkey and enables more use cases.\n\n## What is \"Max victims to find\"?\n\nThe Monkey has a function which finds \"victim\" machines on the network for the Monkey to try and exploit. It's called `get_victim_machines`. This function accepts an argument which limits how many machines the Monkey should find.\n\nWe want to make that value editable by the user instead of constant in the code.\n\n## Manual testing\n\n1. After you've performed the required changes, reload the Server and check your value exists in the Internal tab of the config (see image).\n\n![](https://i.imgur.com/e0XAxuV.png)\n\n2. Set the new value to 1, and run Monkey locally (from source). See that the Monkey only scans one machine."
},
{
"type": "snippet",
"path": "monkey/infection_monkey/config.py",
"comments": [],
"firstLineNumber": 126,
"lines": [
" exploiter_classes = []",
" system_info_collector_classes = []",
" ",
"* # how many victims to look for in a single scan iteration\r",
"* victims_max_find = 100\r",
" ",
" # how many victims to exploit before stopping",
" victims_max_exploit = 100"
]
},
{
"type": "snippet",
"path": "monkey/infection_monkey/monkey.py",
"comments": [],
"firstLineNumber": 159,
"lines": [
" ",
" if not self._keep_running or not WormConfiguration.alive:",
" break",
"*",
"* machines = self._network.get_victim_machines(",
"* max_find=WormConfiguration.victims_max_find,",
"* stop_callback=ControlClient.check_for_stop,",
"* )",
" is_empty = True",
" for machine in machines:",
" if ControlClient.check_for_stop():"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/config_schema/internal.py",
"comments": [],
"firstLineNumber": 42,
"lines": [
" \"title\": \"Monkey\",",
" \"type\": \"object\",",
" \"properties\": {",
"* \"victims_max_find\": {",
"* \"title\": \"Max victims to find\",",
"* \"type\": \"integer\",",
"* \"default\": 100,",
"* \"description\": \"Determines the maximum number of machines the monkey is \"",
"* \"allowed to scan\",",
"* },",
" \"victims_max_exploit\": {",
" \"title\": \"Max victims to exploit\",",
" \"type\": \"integer\","
]
},
{
"type": "text",
"text": "* When changing config schema by adding or deleting keys, you need to update the Blackbox Test configurations as well [here](https://github.com/guardicore/monkey/tree/develop/envs/monkey_zoo/blackbox/config_templates)."
}
],
"symbols": {},
"file_version": "2.0.1",
"meta": {
"app_version": "0.4.1-1",
"file_blobs": {
"monkey/infection_monkey/config.py": "ffdea551eb1ae2b65d4700db896c746771e7954c",
"monkey/infection_monkey/monkey.py": "c81a6251746e3af4e93eaa7d50af44d33debe05c",
"monkey/monkey_island/cc/services/config_schema/internal.py": "d03527b89c21dfb832a15e4f7d55f4027d83b453"
}
}
}

52
.swm/JFXftJml8DpmuCPBA9rL.swm Normal file
View File

@ -0,0 +1,52 @@
{
"id": "JFXftJml8DpmuCPBA9rL",
"name": "Add details about your new PBA",
"task": {
"dod": "You should add your new PBA's details to the configuration.",
"tests": [],
"hints": [
"Have a look at the details of the other techniques."
]
},
"content": [
{
"type": "text",
"text": "In order to make sure that the new `ScheduleJobs` PBA is shown in the configuration on the Monkey Island, you need to add its details to the configuration file(s). <br><br>\n\nSince this particular PBA is related to the MITRE techniques [T1168](https://attack.mitre.org/techniques/T1168) and [T1053](https://attack.mitre.org/techniques/T1053), make sure to link the PBA with these techniques in the configuration as well. <br><br>\n\nEach part of the configuration has an important role \n- *enum* — contains the relevant PBA's class name(s)\n- *title* — holds the name of the PBA which is displayed in the configuration on the Monkey Island\n- *info* — consists of an elaboration on the PBA's working which is displayed in the configuration on the Monkey Island\n- *attack_techniques* — has the IDs of the MITRE techniques associated with the PBA\n\n## Manual test \nOnce you think you're done...\n- Run the Monkey Island\n- You should be able to see your new PBA under the \"Monkey\" tab in the configuration, along with its information when you click on it\n- Further, when you enable/disable the associated MITRE techniques under the ATT&CK tab in the configuration, the PBA should also be enabled/disabled\n\n<img src=\"https://i.imgur.com/a5VSkL5.gif\" height=400>"
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py",
"comments": [],
"firstLineNumber": 56,
"lines": [
" \"Removes the file afterwards.\",",
" \"attack_techniques\": [\"T1166\"],",
" },",
"* {",
"+ # Swimmer: ADD DETAILS HERE!",
"* \"type\": \"string\",",
"* \"enum\": [\"ScheduleJobs\"],",
"* \"title\": \"Job scheduling\",",
"* \"safe\": True,",
"* \"info\": \"Attempts to create a scheduled job on the system and remove it.\",",
"* \"attack_techniques\": [\"T1168\", \"T1053\"],",
"* },",
" {",
" \"type\": \"string\",",
" \"enum\": [\"Timestomping\"],"
]
},
{
"type": "text",
"text": "- The PBA details in this file are reflected on the Monkey Island in the PBA configuration.\n- PBAs are also linked to the relevant MITRE techniques in this file, whose results can then be seen in the MITRE ATT&CK report on the Monkey Island."
}
],
"symbols": {},
"file_version": "2.0.1",
"meta": {
"app_version": "0.4.1-1",
"file_blobs": {
"monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "ea9b18aba7f71da12c9c82ac39d8a0cf2c472a9c"
}
}
}

210
.swm/OwcKMnALpn7tuBaJY1US.swm Normal file
View File

@ -0,0 +1,210 @@
{
"id": "OwcKMnALpn7tuBaJY1US",
"name": "Add a new System Info Collector",
"task": {
"dod": "Add a system info collector that collects the machine hostname.",
"tests": [],
"hints": [
"First thing you should do is take a look at a different collector (like EnvironmentCollector) and 100% understand how it runs, how results are relayed back to the server, and how the server processes the data.",
"Try to run \"socket.getfqdn()\".",
"Take a look at SystemInfoCollector - that's the base class you'll need to implement.",
"Make sure you add the new collector to the configuration in all relevant places, including making it ON by default!"
]
},
"content": [
{
"type": "text",
"text": "# What are system info collectors?\n\nWell, the name pretty much explains it. They are Monkey classes which collect various information regarding the victim system, such as Environment, SSH Info, Process List, Netstat and more. \n\n## What should I add? \n\nA system info collector which collects the hostname of the system.\n\n## Test manually\n\nOnce you're done, make sure that your collector:\n* Appears in the Island configuration, and is enabled by default\n* The collector actually runs when executing a Monkey.\n* Results show up in the relevant places:\n * The infection map.\n * The security report.\n * The relevant MITRE techniques.\n\n**There are a lot of hints for this unit - don't be afraid to use them!**"
},
{
"type": "snippet",
"path": "monkey/common/common_consts/system_info_collectors_names.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
" AWS_COLLECTOR = \"AwsCollector\"",
"*HOSTNAME_COLLECTOR = \"HostnameCollector\"",
"+# SWIMMER: Collector name goes here.",
" ENVIRONMENT_COLLECTOR = \"EnvironmentCollector\"",
" PROCESS_LIST_COLLECTOR = \"ProcessListCollector\"",
" MIMIKATZ_COLLECTOR = \"MimikatzCollector\""
]
},
{
"type": "snippet",
"path": "monkey/infection_monkey/system_info/collectors/hostname_collector.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
" import logging",
" import socket",
"*",
"*from common.common_consts.system_info_collectors_names import HOSTNAME_COLLECTOR",
"*from infection_monkey.system_info.system_info_collector import SystemInfoCollector",
" ",
" logger = logging.getLogger(__name__)",
" ",
"*",
"+# SWIMMER: The collector class goes here.",
"*class HostnameCollector(SystemInfoCollector):",
"* def __init__(self):",
"* super().__init__(name=HOSTNAME_COLLECTOR)",
"*",
"* def collect(self) -> dict:",
"* return {\"hostname\": socket.getfqdn()}"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py",
"comments": [],
"firstLineNumber": 4,
"lines": [
" ENVIRONMENT_COLLECTOR,",
"* HOSTNAME_COLLECTOR,",
" MIMIKATZ_COLLECTOR,",
" PROCESS_LIST_COLLECTOR,",
" )"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py",
"comments": [],
"firstLineNumber": 37,
"lines": [
" \"currently running on.\",",
" \"attack_techniques\": [\"T1082\"],",
" },",
"* {",
"+ # SWIMMER: Collector config goes here. Tip: Hostname collection relates to the T1082 and T1016 techniques.",
"* \"type\": \"string\",",
"* \"enum\": [HOSTNAME_COLLECTOR],",
"* \"title\": \"Hostname collector\",",
"* \"safe\": True,",
"* \"info\": \"Collects machine's hostname.\",",
"* \"attack_techniques\": [\"T1082\", \"T1016\"],",
"* },",
" {",
" \"type\": \"string\",",
" \"enum\": [PROCESS_LIST_COLLECTOR],"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/config_schema/monkey.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
" from common.common_consts.system_info_collectors_names import (",
" AWS_COLLECTOR,",
" AZURE_CRED_COLLECTOR,",
" ENVIRONMENT_COLLECTOR,",
"* HOSTNAME_COLLECTOR,",
" MIMIKATZ_COLLECTOR,",
" PROCESS_LIST_COLLECTOR,",
" )"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/config_schema/monkey.py",
"comments": [],
"firstLineNumber": 92,
"lines": [
" \"default\": [",
" ENVIRONMENT_COLLECTOR,",
" AWS_COLLECTOR,",
"* HOSTNAME_COLLECTOR,",
" PROCESS_LIST_COLLECTOR,",
" MIMIKATZ_COLLECTOR,",
" AZURE_CRED_COLLECTOR,"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/telemetry/processing/system_info_collectors/hostname.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
" import logging",
" ",
"*from monkey_island.cc.models.monkey import Monkey",
"+# SWIMMER: This will be useful :) monkey_island.cc.models.monkey.Monkey has the useful",
"+# \"get_single_monkey_by_guid\" and \"set_hostname\" methods.",
" ",
" logger = logging.getLogger(__name__)",
" ",
" ",
"*def process_hostname_telemetry(collector_results, monkey_guid):",
"+# SWIMMER: Processing function goes here.",
"* Monkey.get_single_monkey_by_guid(monkey_guid).set_hostname(collector_results[\"hostname\"])"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/telemetry/processing/system_info_collectors/system_info_telemetry_dispatcher.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
" import logging",
" import typing",
" ",
" from common.common_consts.system_info_collectors_names import (",
" AWS_COLLECTOR,",
" ENVIRONMENT_COLLECTOR,",
"* HOSTNAME_COLLECTOR,"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/telemetry/processing/system_info_collectors/system_info_telemetry_dispatcher.py",
"comments": [],
"firstLineNumber": 25,
"lines": [
" SYSTEM_INFO_COLLECTOR_TO_TELEMETRY_PROCESSORS = {",
" AWS_COLLECTOR: [process_aws_telemetry],",
" ENVIRONMENT_COLLECTOR: [process_environment_telemetry],",
"* HOSTNAME_COLLECTOR: [process_hostname_telemetry],",
" PROCESS_LIST_COLLECTOR: [check_antivirus_existence],",
" }",
" "
]
},
{
"type": "snippet",
"lines": [
" )",
" from monkey_island.cc.services.telemetry.processing.system_info_collectors.environment import (",
" process_environment_telemetry,",
" )",
"*from monkey_island.cc.services.telemetry.processing.system_info_collectors.hostname import (",
"* process_hostname_telemetry,",
"*)",
" from monkey_island.cc.services.telemetry.zero_trust_checks.antivirus_existence import (",
" check_antivirus_existence,",
" )"
],
"firstLineNumber": 12,
"path": "monkey/monkey_island/cc/services/telemetry/processing/system_info_collectors/system_info_telemetry_dispatcher.py",
"comments": []
},
{
"type": "text",
"text": "System info collectors are useful to get more data for various things, such as ZT tests or MITRE techniques. Take a look at some other techniques!"
}
],
"symbols": {},
"file_version": "2.0.1",
"meta": {
"app_version": "0.4.4-0",
"file_blobs": {
"monkey/common/common_consts/system_info_collectors_names.py": "175a054e1408805a4cebbe27e2f9616db40988cf",
"monkey/infection_monkey/system_info/collectors/hostname_collector.py": "0aeecd9fb7bde83cccd4501ec03e0da199ec5fc3",
"monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py": "9a4a39050eb088876df4fa629e14faf820e714a0",
"monkey/monkey_island/cc/services/config_schema/monkey.py": "e745da5828c63e975625ac2e9b80ce9626324970",
"monkey/monkey_island/cc/services/telemetry/processing/system_info_collectors/hostname.py": "e2de4519cbd71bba70e81cf3ff61817437d95a21",
"monkey/monkey_island/cc/services/telemetry/processing/system_info_collectors/system_info_telemetry_dispatcher.py": "7ce4b6fcfbce0d6cd8a60297213c5be1699b22df"
}
}
}

15
.swm/VW4rf3AxRslfT7lwaug7.swm
View File

@ -18,24 +18,23 @@
"type": "snippet",
"path": "monkey/infection_monkey/post_breach/actions/schedule_jobs.py",
"comments": [],
"firstLineNumber": 15,
"firstLineNumber": 12,
"lines": [
" \"\"\"",
" ",
" def __init__(self, telemetry_messenger: ITelemetryMessenger):",
" def __init__(self):",
"* linux_cmds, windows_cmds = get_commands_to_schedule_jobs()",
"+ pass",
"*",
"+ # Swimmer: IMPLEMENT HERE!",
"* super(ScheduleJobs, self).__init__(",
"* telemetry_messenger,",
"* name=POST_BREACH_JOB_SCHEDULING,",
"* linux_cmd=\" \".join(linux_cmds),",
"* windows_cmd=windows_cmds,",
"* )",
"*",
"* def run(self, options: Dict):",
"* super(ScheduleJobs, self).run(options)",
"* def run(self):",
"* super(ScheduleJobs, self).run()",
"* remove_scheduled_jobs()"
]
},
@ -45,11 +44,11 @@
}
],
"symbols": {},
"file_version": "2.0.3",
"file_version": "2.0.1",
"meta": {
"app_version": "0.6.6-2",
"app_version": "0.4.1-1",
"file_blobs": {
"monkey/infection_monkey/post_breach/actions/schedule_jobs.py": "4ab023e35fa4424f0c6583233f5b056c7b1cad51"
"monkey/infection_monkey/post_breach/actions/schedule_jobs.py": "e7845968a0c27d2eba71a8889645fe88491cb2a8"
}
}
}

122
.swm/tbxb2cGgUiJQ8Btma0fp.swm Normal file
View File

@ -0,0 +1,122 @@
{
"id": "tbxb2cGgUiJQ8Btma0fp",
"name": "Add a simple Post Breach action",
"task": {
"dod": "You should add a new PBA to the Monkey which creates a new user on the machine.",
"tests": [],
"hints": [
"See `ScheduleJobs` PBA for an example of a PBA which only uses shell commands.",
"Make sure to add the PBA to the configuration as well.",
"MITRE ATT&CK technique T1136 articulates that adversaries may create an account to maintain access to victim systems, therefore, the BackdoorUser PBA is relevant to it. Make sure to map this PBA to the MITRE ATT&CK configuration and report."
]
},
"content": [
{
"type": "text",
"text": "Read [our documentation about adding a new PBA](https://www.guardicore.com/infectionmonkey/docs/development/adding-post-breach-actions/).\n\nAfter that we want you to add the BackdoorUser PBA. The commands that add users for Win and Linux can be retrieved from `get_commands_to_add_user` - make sure you see how to use this function correctly. \n\nNote that the PBA should impact the T1136 MITRE technique as well! \n\n# Manual test to confirm\n\n1. Run the Monkey Island\n2. Make sure your new PBA is enabled by default in the config - for this test, disable network scanning, exploiting, and all other PBAs\n3. Run Monkey\n4. See the PBA in the security report\n5, See the PBA in the MITRE report in the relevant technique\n"
},
{
"type": "snippet",
"path": "monkey/common/common_consts/post_breach_consts.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
" POST_BREACH_COMMUNICATE_AS_NEW_USER = \"Communicate as new user\"",
"*POST_BREACH_BACKDOOR_USER = \"Backdoor user\"",
"+# Swimmer: PUT THE NEW CONST HERE!",
" POST_BREACH_FILE_EXECUTION = \"File execution\"",
" POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION = \"Modify shell startup file\"",
" POST_BREACH_HIDDEN_FILES = \"Hide files and directories\""
]
},
{
"type": "snippet",
"path": "monkey/infection_monkey/post_breach/actions/add_user.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
"*from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER",
"*from infection_monkey.config import WormConfiguration",
"*from infection_monkey.post_breach.pba import PBA",
"*from infection_monkey.utils.random_password_generator import get_random_password",
"*from infection_monkey.utils.users import get_commands_to_add_user",
"*",
"*",
"*class BackdoorUser(PBA):",
"* def __init__(self):",
"* random_password = get_random_password()",
"*",
"* linux_cmds, windows_cmds = get_commands_to_add_user(",
"* WormConfiguration.user_to_add, random_password",
"* )",
"*",
"* super(BackdoorUser, self).__init__(",
"* POST_BREACH_BACKDOOR_USER, linux_cmd=\" \".join(linux_cmds), windows_cmd=windows_cmds",
"* )"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
" from common.common_consts.post_breach_consts import (",
"* POST_BREACH_BACKDOOR_USER,",
" POST_BREACH_COMMUNICATE_AS_NEW_USER,",
" )"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py",
"comments": [],
"firstLineNumber": 12,
"lines": [
" unscanned_msg = \"Monkey didn't try creating a new user on the network's systems.\"",
" scanned_msg = \"Monkey tried creating a new user on the network's systems, but failed.\"",
" used_msg = \"Monkey created a new user on the network's systems.\"",
"* pba_names = [POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER]",
"+ pba_names = [POST_BREACH_COMMUNICATE_AS_NEW_USER]"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py",
"comments": [],
"firstLineNumber": 5,
"lines": [
" \"might do after breaching a new machine. Used in ATT&CK and Zero trust reports.\",",
" \"type\": \"string\",",
" \"anyOf\": [",
"* {",
"+ # Swimmer: Add new PBA here to config!",
"* \"type\": \"string\",",
"* \"enum\": [\"BackdoorUser\"],",
"* \"title\": \"Back door user\",",
"* \"safe\": True,",
"* \"info\": \"Attempts to create a new user on the system and delete it afterwards.\",",
"* \"attack_techniques\": [\"T1136\"],",
"* },",
" {",
" \"type\": \"string\",",
" \"enum\": [\"CommunicateAsNewUser\"],"
]
},
{
"type": "text",
"text": "Take a look at the configuration of the island again - see the \"command to run after breach\" option we offer the user? It's implemented exactly like you did right now but each user can do it for themselves. \n\nHowever, what if the PBA needs to do stuff which is more complex than just running a few commands? In that case... "
}
],
"symbols": {},
"file_version": "2.0.1",
"meta": {
"app_version": "0.4.4-0",
"file_blobs": {
"monkey/common/common_consts/post_breach_consts.py": "25e6679cb1623aae1a732deb05cc011a452743e3",
"monkey/infection_monkey/post_breach/actions/add_user.py": "26b048a492fcb6d319fc0c01d2f4a0bd302ecbc8",
"monkey/monkey_island/cc/services/attack/technique_reports/T1136.py": "dfc5945a362b88c1135f4476526c6c82977b02ee",
"monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "086dc85693ae02ddfa106099245c0f155139805c"
}
}
}

182
.travis.yml
View File

@ -4,137 +4,89 @@
group: travis_latest
branches:
only:
- develop
- master
- fix-travis
language: python
jobs:
include:
- name: "Monkey Linux"
language: python
python:
- 3.7
os: linux
dist: focal
vm:
size: x-large
env:
- PIP_CACHE_DIR=$HOME/.cache/pip PIPENV_CACHE_DIR=$HOME/.cache/pipenv LIBSODIUM_MAKE_ARGS=-j8
env:
- PIP_CACHE_DIR=$HOME/.cache/pip PIPENV_CACHE_DIR=$HOME/.cache/pipenv
cache:
- pip: true
- npm: true
- directories:
- "$HOME/.npm"
- $PIP_CACHE_DIR
- $PIPENV_CACHE_DIR
cache:
- pip
- directories:
- "$HOME/.npm"
- $PIP_CACHE_DIR
- $PIPENV_CACHE_DIR
install:
# Python
- nproc
- pip install pip --upgrade
- pipenv --version
# Install island and monkey requirements as they are needed by UT's
- pushd monkey/monkey_island
- pipenv sync --dev # This installs dependencies from lock
- popd
- pushd monkey/infection_monkey
- pipenv sync --dev # This installs dependencies from lock
- popd
python:
- 3.7
# node + npm + eslint
- node --version
- npm --version
- nvm --version
- nvm install 16
- nvm use node
- npm i -g eslint
- node --version
- npm --version
os: linux
# hugo (for documentation)
- curl -L https://github.com/gohugoio/hugo/releases/download/v0.92.0/hugo_0.92.0_Linux-64bit.tar.gz --output hugo.tar.gz
# print hugo version (useful for debugging documentation build errors)
- tar -zxf hugo.tar.gz
- ./hugo version
script:
# check python code
## check syntax errors and fail the build if any are found.
- flake8 .
## check import order
- python -m isort ./monkey --check-only
install:
# Python
- pip install pipenv
# Install island and monkey requirements as they are needed by UT's
- pushd monkey/monkey_island
- pipenv sync --dev # This installs dependencies from lock
- popd
- pushd monkey/infection_monkey
- pipenv sync --dev # This installs dependencies from lock
- popd
## check that all python is properly formatted. fail otherwise.
- python -m black --check .
# node + npm + eslint
- node --version
- npm --version
- nvm --version
- nvm install 12
- nvm use node
- npm i -g eslint
- node --version
- npm --version
## check that there is no dead python code
- python -m vulture .
# hugo (for documentation)
- curl -L https://github.com/gohugoio/hugo/releases/download/v0.85.0/hugo_0.85.0_Linux-64bit.tar.gz --output hugo.tar.gz
# print hugo version (useful for debugging documentation build errors)
- tar -zxf hugo.tar.gz
- ./hugo version
## run unit tests and generate coverage data
- cd monkey # this is our source dir
- pip install pytest-xdist
- python -m pytest -n auto --dist loadscope --cov=. # have to use `python -m pytest` instead of `pytest` to add "{$builddir}/monkey/monkey" to sys.path.
script:
# Check Python code
## Check syntax errors and fail the build if any are found.
- flake8 .
# check js code. the npm install must happen after the flake8 because the node_modules folder will cause a lot of errors.
- cd monkey_island/cc/ui
- npm ci # see https://docs.npmjs.com/cli/ci.html
- eslint ./src --quiet # test for errors
- JS_WARNINGS_AMOUNT_UPPER_LIMIT=0
- eslint ./src --max-warnings $JS_WARNINGS_AMOUNT_UPPER_LIMIT # test for max warnings
## Check import order
- python -m isort ./monkey --check-only
# build documentation
- cd $TRAVIS_BUILD_DIR/docs
- ../hugo --verbose --environment staging
## Check that all python is properly formatted. Fail otherwise.
- python -m black --check .
# verify swimm
- cd $TRAVIS_BUILD_DIR
- curl -l https://releases.swimm.io/ci/latest/packed-swimm-linux-cli --output swimm-cli
- chmod u+x swimm-cli
- ./swimm-cli --version
- ./swimm-cli verify
## Check that there is no dead python code
- python -m vulture .
after_success:
# Upload code coverage results to codecov.io, see https://github.com/codecov/codecov-bash for more information
- bash <(curl -s https://codecov.io/bash)
## Run unit tests and generate coverage data
- cd monkey # This is our source dir
- python -m pytest --cov=. # Have to use `python -m pytest` instead of `pytest` to add "{$builddir}/monkey/monkey" to sys.path.
- name: "Monkey Windows"
language: bash
os: windows
vm:
size: x-large
before_install:
- choco install python --version=3.7.9
- python -m pip install -U pip setuptools virtualenv
- python -m virtualenv $HOME/venv
- source $HOME/venv/Scripts/activate
env:
PATH=/c/Python37:/c/Python37/Scripts:$PATH
cache:
pip: true
directories:
- $LOCALAPPDATA/pip/Cache
- $LOCALAPPDATA/pipenv/Cache
install:
# Python
- nproc
- pip install pipenv==2022.7.4
# Install island and monkey requirements as they are needed by UT's
- pushd monkey/monkey_island
- pipenv sync --dev # This installs dependencies from lock
- popd
- pushd monkey/infection_monkey
- pipenv sync --dev # This installs dependencies from lock
- popd
# Check JS code. The npm install must happen AFTER the flake8 because the node_modules folder will cause a lot of errors.
- cd monkey_island/cc/ui
- npm ci # See https://docs.npmjs.com/cli/ci.html
- eslint ./src --quiet # Test for errors
- JS_WARNINGS_AMOUNT_UPPER_LIMIT=0
- eslint ./src --max-warnings $JS_WARNINGS_AMOUNT_UPPER_LIMIT # Test for max warnings
script:
## run unit tests and generate coverage data
- cd monkey # this is our source dir
- pip install pytest-xdist
- python -m pytest -n auto --dist loadscope
# Build documentation
- cd $TRAVIS_BUILD_DIR/docs
- ../hugo --verbose --environment staging
# verify swimm
- cd $TRAVIS_BUILD_DIR
- curl -L https://github.com/swimmio/SwimmReleases/releases/download/v0.5.0-0/swimm-cli.js --output swimm_cli
- node swimm_cli --version
- node swimm_cli verify
after_success:
# Upload code coverage results to codecov.io, see https://github.com/codecov/codecov-bash for more information
- bash <(curl -s https://codecov.io/bash)
notifications:
slack: # Notify to slack

284
CHANGELOG.md
View File

@ -1,280 +1,60 @@
# Changelog
All notable changes to this project will be documented in this
file.
All notable changes to this project will be documented in this file.
The format is based on [Keep a
Changelog](https://keepachangelog.com/en/1.0.0/).
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## [Unreleased]
### Added
- credentials.json file for storing Monkey Island user login information. #1206
- "GET /api/propagation-credentials/<string:guid>" endpoint for agents to
retrieve updated credentials from the Island. #1538
- "GET /api/island/ip-addresses" endpoint to get IP addresses of the Island server
network interfaces. #1996
- SSHCollector as a configurable System info Collector. #1606
- deployment_scrips/install-infection-monkey-service.sh to install an AppImage
as a service. #1552
- The ability to download the Monkey Island logs from the Infection Map page. #1640
- `/api/reset-agent-configuration` endpoint. #2036
- `/api/clear-simulation-data` endpoint. #2036
- `/api/registration-status` endpoint. #2149
- authentication to `/api/island/version`. #2109
- `/api/agent-events` endpoint. #2155, #2300
- The ability to customize the file extension used by ransomware when
encrypting files. #1242
- `/api/agents` endpoint. #2362
- `/api/agent-signals` endpoint. #2261
- `/api/agent-logs/<uuid:agent_id>` endpoint. #2274
- `/api/machines` endpoint. #2362
### Changed
- Reset workflow. Now it's possible to delete data gathered by agents without
resetting the configuration and reset procedure requires fewer clicks. #957
- "Communicate as Backdoor User" PBA's HTTP requests to request headers only and
include a timeout. #1577
- The setup procedure for custom server_config.json files to be simpler. #1576
- The order and content of Monkey Island's initialization logging to give
clearer instructions to the user and avoid confusion. #1684
- The process list collection system info collector to now be a post-breach action. #1697
- The "/api/monkey/download" endpoint to accept an OS and return a file. #1675
- Log messages to contain human-readable thread names. #1766
- The log file name to `infection-monkey-agent-<TIMESTAMP>-<RANDOM_STRING>.log`. #1761
- "Logs" page renamed to "Telemetries". #1640
- The "/api/fileUpload" endpoint to "/api/file-upload". #1888
- The "/api/test/clear_caches" endpoint to "/api/test/clear-caches". #1888
- The "/api/netmap/nodeStates" endpoint to "/api/netmap/node-states". #1888
- All "/api/monkey_control" endpoints to "/api/monkey-control". #1888
- All "/api/monkey" endpoints to "/api/agent". #1888
- Analytics and version update queries are sent separately instead of just one query. #2165
- Update MongoDB version to 4.4.x. #1924
- Endpoint to get agent binaries from "/api/agent/download/<string:os>" to
"/api/agent-binaries/<string:os>". #1978
- Depth flag (-d) on the agent now acts the way you would expect(it represents
the current depth of the agent, not hops remaining). #2033
- Agent configuration structure. #1996, #1998, #1961, #1997, #1994, #1741,
#1761, #1695, #1605, #2028, #2003
- `/api/island-mode` to accept and return new "unset" mode. #2036
- `/api/version-update` to `api/island/version`. #2109
- `/api/island-mode` to `/api/island/mode`. #2106
- `/api/log/island/download` endpoint to `/api/island/log`. #2107
- `/api/auth` endpoint to `/api/authenticate`. #2105
- `/api/registration` endpoint to `/api/register`. #2105
- `/api/file-upload` endpoit to `/api/pba/upload`. #2154
- Improved the speed of ransomware encryption by 2-3x. #2123
- "-s/--server" to "-s/--servers". #2216
- "-s/--servers" accepts list of servers separated by comma. #2216
- Tunneling to relays to provide better firewall evasion, faster Island
connection times, unlimited hops, and a more resilient way for agents to call
home. #2216, #1583
- "/api/monkey-control/stop-all-agents" to "/api/agent-signals/terminate-all-agents". #2261
- "Local network scan" option to "Scan Agent's networks". #2299
### Removed
- VSFTPD exploiter. #1533
- Manual agent run command for CMD. #1556
- Sambacry exploiter. #1567, #1693
- "Kill file" option in the config. #1536
- Netstat collector, because network connection information wasn't used anywhere. #1535
- Checkbox to disable/enable sending log to server. #1537
- Checkbox for self deleting a monkey agent on cleanup. #1537
- Checkbox for file logging. #1537
- Remove serialization of config. #1537
- Checkbox that gave the option to not try to first move the dropper file. #1537
- Custom singleton mutex name config option. #1589
- Removed environment system info collector #1535
- Azure credential collector, because it was broken (not gathering credentials). #1535
- Custom monkey directory name config option. #1537
- Hostname system info collector. #1535
- Max iterations and timeout between iterations config options. #1600
- MITRE ATT&CK configuration screen. #1532
- Propagation credentials from "GET /api/monkey/<string:guid>" endpoint. #1538
- "GET /api/monkey_control/check_remote_port/<string:port>" endpoint. #1635
- Max victims to find/exploit, TCP scan interval and TCP scan get banner internal options. #1597
- MySQL fingerprinter. #1648
- MS08-067 (Conficker) exploiter. #1677
- Agent bootloader. #1676
- Zero Trust integration with ScoutSuite. #1669
- ShellShock exploiter. #1733
- ElasticGroovy exploiter. #1732
- T1082 attack technique report. #1695
- 32-bit agents. #1675
- Log path config options. #1761
- "smb_service_name" option. #1741
- Struts2 exploiter. #1869
- Drupal exploiter. #1869
- WebLogic exploiter. #1869
- The /api/t1216-pba/download endpoint. #1864
- Island log download button from "Telemetries"(previously called "Logs") page. #1640
- "/api/client-monkey" endpoint. #1889
- "+dev" from version numbers. #1553
- agent's "--config" argument. #906
- Option to export monkey telemetries. #1998
- "/api/configuration/import" endpoint. #2002
- "/api/configuration/export" endpoint. #2002
- "/api/island-configuration" endpoint. #2003
- "-t/--tunnel" from agent command line arguments. #2216
- "/api/monkey-control/neets-to-stop". #2261
- "GET /api/test/monkey" endpoint. #2269
- "GET /api/test/log" endpoint. #2269
### Fixed
- A bug in network map page that caused delay of telemetry log loading. #1545
- Windows "run as a user" powershell command for manual agent runs. #1556
- A bug in the "Signed Script Proxy Execution" PBA that downloaded the exe on Linux
systems as well. #1557
- A bug where T1216_random_executable.exe was copied to disk even if the signed
script proxy execution PBA was disabled. #1864
- Unnecessary collection of kerberos credentials. #1771
- A bug where bogus users were collected by Mimikatz and added to the config. #1860
- A bug where windows executable was not self deleting. #1763
- Incorrect line number in the telemetry overview window on the Map page. #1850
- Automatic jumping to the bottom in the telemetry overview windows. #1850
- 2-second delay when the Island server starts, and it's not running on AWS. #1636
- Malformed MSSQL agent launch command. #2018
### Security
- Change SSH exploiter so that it does not set the permissions of the agent
binary in /tmp on the target system to 777, as this could allow a malicious
actor with local access to escalate their privileges. #1750
## [1.13.0] - 2022-01-25
### Added
- A new exploiter that allows propagation via the Log4Shell vulnerability
(CVE-2021-44228). #1663
### Fixed
- Exploiters attempting to start servers listening on privileged ports,
resulting in failed propagation. 8f53a5c
## [1.12.0] - 2021-10-27
### Added
- A new exploiter that allows propagation via PowerShell Remoting. #1246
- A warning regarding antivirus when agent binaries are missing. #1450
- A deployment.json file to store the deployment type. #1205
### Changed
- The name of the "Communicate as new user" post-breach action to "Communicate
as backdoor user". #1410
- Resetting login credentials also cleans the contents of the database. #1495
- ATT&CK report messages (more accurate now). #1483
- T1086 (PowerShell) now also reports if ps1 scripts were run by PBAs. #1513
- ATT&CK report messages to include internal config options as reasons
for unscanned attack techniques. #1518
### Removed
- Internet access check on agent start. #1402
- The "internal.monkey.internet_services" configuration option that enabled
internet access checks. #1402
- Disused traceroute binaries. #1397
- "Back door user" post-breach action. #1410
- Stale code in the Windows system info collector that collected installed
packages and WMI info. #1389
- Insecure access feature in the Monkey Island. #1418
- The "deployment" field from the server_config.json. #1205
- The "Execution through module load" ATT&CK technique,
since it can no longer be exercise with current code. #1416
- Browser window pop-up when Monkey Island starts on Windows. #1428
### Fixed
- Misaligned buttons and input fields on exploiter and network configuration
pages. #1353
- Credentials shown in plain text on configuration screens. #1183
- Crash when unexpected character encoding is used by ping command on German
language systems. #1175
- Malfunctioning timestomping PBA. #1405
- Malfunctioning shell startup script PBA. #1419
- Trap command produced no output. #1406
- Overlapping Guardicore logo in the landing page. #1441
- PBA table collapse in security report on data change. #1423
- Unsigned Windows agent binaries in Linux packages are now signed. #1444
- Some of the gathered credentials no longer appear in plaintext in the
database. #1454
- Encryptor breaking with UTF-8 characters. (Passwords in different languages
can be submitted in the config successfully now.) #1490
- Mimikatz collector no longer fails if Azure credential collector is disabled.
#1512, #1493
- Unhandled error when "modify shell startup files PBA" is unable to find
regular users. #1507
- ATT&CK report bug that showed different techniques' results under a technique
if the PBA behind them was the same. #1514
- ATT&CK report bug that said that the technique "`.bash_profile` and
`.bashrc`" was not attempted when it actually was attempted but failed. #1511
- Bug that periodically cleared the telemetry table's filter. #1392
- Crashes, stack traces, and other malfunctions when data from older versions
of Infection Monkey is present in the data directory. #1114
- Broken update links. #1524
### Security
- Generate a random password when creating a new user for CommunicateAsNewUser
PBA. #1434
- Credentials gathered from victim machines are no longer stored plaintext in
the database. #1454
- Encrypt the database key with user's credentials. #1463
## [1.11.0] - 2021-08-13
### Added
- PostgreSQL fingerprinter. #892
- A runtime-configurable option to specify a data directory where runtime
configuration and other artifacts can be stored. #994
- Scripts to build an AppImage for Monkey Island. #1069, #1090, #1136, #1381
- Scripts to build an AppImage for Monkey Island. #1069, #1090, #1136
- `log_level` option to server config. #1151
- A ransomware simulation payload. #1238
- The capability for a user to specify their own SSL certificate. #1208
- API endpoint for ransomware report. #1297
- A ransomware report. #1240
- A script to build a docker image locally. #1140
- Add ransomware report. #1240
### Changed
- Select server_config.json at runtime. #963
- Select Logger configuration at runtime. #971
- Select `mongo_key.bin` file location at runtime. #994
- Store Monkey agents in the configurable data_dir when monkey is "run from the
- island". #997
- Reformat all code using black. #1070
- Sort all imports using isort. #1081
- Address all flake8 issues. #1071
- server_config.json can be selected at runtime. #963
- Logger configuration can be selected at runtime. #971
- `mongo_key.bin` file location can be selected at runtime. #994
- Monkey agents are stored in the configurable data_dir when monkey is "run
from the island". #997
- Reformated all code using black. #1070
- Sorted all imports usind isort. #1081
- Addressed all flake8 issues. #1071
- Use pipenv for python dependency management. #1091
- Move unit tests to a dedicated `tests/` directory to improve pytest collection
time. #1102
- Skip BB performance tests by default. Run them if `--run-performance-tests`
flag is specified.
- Write Zerologon exploiter's runtime artifacts to a secure temporary directory
- Moved unit tests to a dedicated `tests/` directory to improve pytest
collection time. #1102
- Default BB test suite behavior: if `--run-performance-tests` flag is not
specified, performance tests are skipped.
- Zerologon exploiter writes runtime artifacts to a secure temporary directory
instead of $HOME. #1143
- Put environment config options in `server_config.json` into a separate
section named "environment". #1161
- Automatically register if BlackBox tests are run on a fresh
installation. #1180
- Limit the ports used for scanning in blackbox tests. #1368
- Limit the propagation depth of most blackbox tests. #1400
- Wait less time for monkeys to die when running BlackBox tests. #1400
- Improve the structure of unit tests by scoping fixtures only to relevant
modules instead of having a one huge fixture file. #1178
- Improve and rename the directory structure of unit tests and unit test
infrastructure. #1178
- Launch MongoDB when the Island starts via python. #1148
- Create/check data directory on Island initialization. #1170
- Format some log messages to make them more readable. #1283
- Improve runtime of some unit tests. #1125
- Run curl OR wget (not both) when attempting to communicate as a new user on
Linux. #1407
- Authentication mechanism to use bcrypt on server side. #1139
- `server_config.json` puts environment config options in a separate section
named "environment". #1161
- BlackBox tests can now register if they are ran on a fresh installation. #1180
- Improved the structure of unit tests by scoping fixtures only to relevant modules
instead of having a one huge fixture file, improved and renamed the directory
structure of unit tests and unit test infrastructure. #1178
- MongoDb now gets launched by the Island via python. #1148
- Create/check data directory on Island init. #1170
- The formatting of some log messages to make them more readable. #1283
- Some unit tests to run faster. #1125
### Removed
- Relevant dead code as reported by Vulture. #1149
- Island logger config and --logger-config CLI option. #1151
### Fixed
- Attempt to delete a directory when monkey config reset was called. #1054
- Attempted to delete a directory when monkey config reset was called. #1054
- An errant space in the windows commands to run monkey manually. #1153
- Gevent tracebacks in console output. #859
- Crash and failure to run PBAs if max depth reached. #1374
- gevent tracebacks in console output. #859
### Security
- Address minor issues discovered by Dlint. #1075
- Hash passwords on server-side instead of client side. #1139
- Generate random passwords when creating a new user (create user PBA, ms08_67
exploit). #1174
- Generate random passwords when creating a new user (create user PBA, ms08_67 exploit). #1174
- Implemented configuration encryption/decryption. #1189, #1204
- Create local custom PBA directory with secure permissions. #1270
- Create encryption key file for MongoDB with secure permissions. #1232

22
README.md
View File

@ -1,7 +1,7 @@
# Infection Monkey
[![GitHub release (latest by date)](https://img.shields.io/github/v/release/guardicore/monkey)](https://github.com/guardicore/monkey/releases)
[![Build Status](https://app.travis-ci.com/guardicore/monkey.svg?branch=develop)](https://app.travis-ci.com/guardicore/monkey)
[![Build Status](https://travis-ci.com/guardicore/monkey.svg?branch=develop)](https://travis-ci.com/guardicore/monkey)
[![codecov](https://codecov.io/gh/guardicore/monkey/branch/develop/graph/badge.svg)](https://codecov.io/gh/guardicore/monkey)
![GitHub stars](https://img.shields.io/github/stars/guardicore/monkey)
@ -18,18 +18,7 @@ The Infection Monkey is comprised of two parts:
* **Monkey** - A tool which infects other machines and propagates to them.
* **Monkey Island** - A dedicated server to control and visualize the Infection Monkey's progress inside the data center.
To read more about the Monkey, visit [akamai.com/infectionmonkey](https://www.akamai.com/infectionmonkey).
## 💥 We're Hiring 💥
We are looking for a software engineering manager with a passion for UX and
cybersecurity to join the Infection Monkey development team. This is a remote
position and is open anywhere in Israel. You can learn more about Infection
Monkey on our [website](https://www.akamai.com/infectionmonkey).
For more information, or to apply, see the official job post:
- [Israel](https://akamaicareers.inflightcloud.com/jobdetails/aka_ext/028224?section=aka_ext&job=028224)
test1111
To read more about the Monkey, visit [infectionmonkey.com](https://infectionmonkey.com).
## Screenshots
@ -57,8 +46,11 @@ The Infection Monkey uses the following techniques and exploits to propagate to
* SSH
* SMB
* WMI
* Log4Shell
* Zerologon
* Shellshock
* Conficker
* SambaCry
* Elastic Search (CVE-2015-1427)
* Weblogic server
* and more, see our [Documentation hub](https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/) for more information about our RCE exploiters.
## Setup

0
build_scripts/appimage/.gitignore → appimage/.gitignore vendored
View File

6
build_scripts/appimage/AppRun → appimage/AppRun
View File

@ -13,10 +13,6 @@ export TKPATH="${TK_LIBRARY}"
# Export SSL certificate
export SSL_CERT_FILE="${APPDIR}/opt/_internal/certs.pem"
if [ "$1" == "service" ] ; then
exec /bin/bash "${APPDIR}/install-infection-monkey-service.sh" ${@:2}
fi
# Call the entry point
for opt in "$@"
do
@ -29,7 +25,5 @@ do
fi
done
export PYTHONNOUSERSITE=1
(PYTHONHOME="${APPDIR}/opt/python3.7" exec "${APPDIR}/opt/python3.7/bin/python3.7" "${APPDIR}/usr/src/monkey_island.py" $@)
exit "$?"

35
appimage/README.md Normal file
View File

@ -0,0 +1,35 @@
# Monkey Island AppImage
## About
This directory contains the necessary artifacts for building an Infection
Monkey AppImage
## Building an AppImage
1. Create a clean VM or LXC (not docker!) based on Ubuntu 18.04.
1. Copy the `deployment_scripts/appimage` directory to `$HOME/` in the VM.
1. Run `sudo -v`.
1. On the VM, `cd $HOME/appimage`
1. Execute `./build_appimage.sh`. This will pull all necessary dependencies
and build the AppImage.
NOTE: This script is intended to be run from a clean VM. You can also manually
remove build artifacts by removing the following files and directories.
- $HOME/.monkey_island (optional)
- $HOME/appimage/squashfs-root
- $HOME/git/monkey
- $HOME/appimage/Infection_Monkey*x86_64.AppImage
After removing the above files and directories, you can again execute `bash
build_appimage.sh`.
## Running the AppImage
The build script will produce an AppImage executible named
`Infection_Monkey-x86_64.AppImage`. Simply execute this file and you're off to
the races.
A new directory, `$HOME/.monkey_island` will be created to store runtime
artifacts.

368
appimage/build_appimage.sh Executable file
View File

@ -0,0 +1,368 @@
#!/bin/bash
WORKSPACE=${WORKSPACE:-$HOME}
APPDIR="$PWD/squashfs-root"
INSTALL_DIR="$APPDIR/usr/src"
GIT=$WORKSPACE/git
DEFAULT_REPO_MONKEY_HOME=$GIT/monkey
ISLAND_PATH="$INSTALL_DIR/monkey_island"
MONGO_PATH="$ISLAND_PATH/bin/mongodb"
ISLAND_BINARIES_PATH="$ISLAND_PATH/cc/binaries"
MONKEY_ORIGIN_URL="https://github.com/guardicore/monkey.git"
CONFIG_URL="https://raw.githubusercontent.com/guardicore/monkey/develop/deployment_scripts/config"
NODE_SRC=https://deb.nodesource.com/setup_12.x
APP_TOOL_URL=https://github.com/AppImage/AppImageKit/releases/download/12/appimagetool-x86_64.AppImage
PYTHON_VERSION="3.7.11"
PYTHON_APPIMAGE_URL="https://github.com/niess/python-appimage/releases/download/python3.7/python${PYTHON_VERSION}-cp37-cp37m-manylinux1_x86_64.AppImage"
exit_if_missing_argument() {
if [ -z "$2" ] || [ "${2:0:1}" == "-" ]; then
echo "Error: Argument for $1 is missing" >&2
exit 1
fi
}
echo_help() {
echo "usage: build_appimage.sh [--help] [--agent-binary-dir <PATH>] [--branch <BRANCH>]"
echo " [--monkey-repo <PATH>] [--version <MONKEY_VERSION>]"
echo ""
echo "Creates an AppImage package for Infection Monkey."
echo ""
echo "--agent-binary-dir A directory containing the agent binaries that"
echo " you'd like to include with the AppImage. If this"
echo " parameter is unspecified, the latest release"
echo " binaries will be downloaded from GitHub."
echo ""
echo "--as-root Throw caution to the wind and allow this script"
echo " to be run as root."
echo ""
echo "--branch The git branch you'd like the AppImage to be"
echo " built from. (Default: develop)"
echo ""
echo "--monkey-repo A directory containing the Infection Monkey git"
echo " repository. If the directory is empty or does"
echo " not exist, a new repo will be cloned from GitHub."
echo " If the directory is already a valid GitHub repo,"
echo " it will be used as-is and the --branch parameter"
echo " will have no effect."
echo " (Default: $DEFAULT_REPO_MONKEY_HOME)"
echo ""
echo "--version A version number for the AppImage package."
echo " (Default: dev)"
exit 0
}
is_root() {
return "$(id -u)"
}
has_sudo() {
# 0 true, 1 false
sudo -nv > /dev/null 2>&1
return $?
}
handle_error() {
echo "Fix the errors above and rerun the script"
exit 1
}
log_message() {
echo -e "\n\n"
echo -e "APPIMAGE BUILDER: $1"
}
install_nodejs() {
log_message "Installing nodejs"
curl -sL $NODE_SRC | sudo -E bash -
sudo apt-get install -y nodejs
}
install_build_prereqs() {
sudo apt-get update
sudo apt-get upgrade -y
# monkey island prereqs
sudo apt-get install -y curl libcurl4 openssl git build-essential moreutils
install_nodejs
}
install_appimage_tool() {
log_message "Installing appimagetool"
APP_TOOL_BIN=$WORKSPACE/bin/appimagetool
mkdir -p "$WORKSPACE"/bin
curl -L -o "$APP_TOOL_BIN" "$APP_TOOL_URL"
chmod u+x "$APP_TOOL_BIN"
PATH=$PATH:$WORKSPACE/bin
}
is_valid_git_repo() {
pushd "$1" 2>/dev/null || return 1
git status >/dev/null 2>&1
success="$?"
popd || exit 1
return $success
}
clone_monkey_repo() {
local repo_dir=$1
local branch=$2
if [[ ! -d "$repo_dir" ]]; then
mkdir -p "$repo_dir"
fi
log_message "Cloning files from git"
git clone --single-branch --recurse-submodules -b "$branch" "$MONKEY_ORIGIN_URL" "$repo_dir" 2>&1 || handle_error
}
setup_appdir() {
local agent_binary_dir=$1
local monkey_repo=$2
setup_python_37_appdir
copy_monkey_island_to_appdir "$monkey_repo"/monkey
add_agent_binaries_to_appdir "$agent_binary_dir"
install_monkey_island_python_dependencies
install_mongodb
generate_ssl_cert
build_frontend
add_monkey_icon "$monkey_repo"/monkey
add_desktop_file
add_apprun
}
setup_python_37_appdir() {
PYTHON_APPIMAGE="python${PYTHON_VERSION}_x86_64.AppImage"
rm -rf "$APPDIR" || true
log_message "downloading Python3.7 Appimage"
curl -L -o "$PYTHON_APPIMAGE" "$PYTHON_APPIMAGE_URL"
chmod u+x "$PYTHON_APPIMAGE"
./"$PYTHON_APPIMAGE" --appimage-extract
rm "$PYTHON_APPIMAGE"
mkdir -p "$INSTALL_DIR"
}
copy_monkey_island_to_appdir() {
cp "$1"/__init__.py "$INSTALL_DIR"
cp "$1"/monkey_island.py "$INSTALL_DIR"
cp -r "$1"/common "$INSTALL_DIR/"
cp -r "$1"/monkey_island "$INSTALL_DIR/"
cp ./server_config.json.standard "$INSTALL_DIR"/monkey_island/cc/
# TODO: This is a workaround that may be able to be removed after PR #848 is
# merged. See monkey_island/cc/environment_singleton.py for more information.
cp ./server_config.json.standard "$INSTALL_DIR"/monkey_island/cc/server_config.json
}
install_monkey_island_python_dependencies() {
log_message "Installing island requirements"
log_message "Installing pipenv"
"$APPDIR"/AppRun -m pip install pipenv || handle_error
requirements_island="$ISLAND_PATH/requirements.txt"
generate_requirements_from_pipenv_lock "$requirements_island"
log_message "Installing island python requirements"
"$APPDIR"/AppRun -m pip install -r "${requirements_island}" --ignore-installed || handle_error
}
generate_requirements_from_pipenv_lock () {
log_message "Generating a requirements.txt file with 'pipenv lock -r'"
cd "$ISLAND_PATH" || exit 1
"$APPDIR"/AppRun -m pipenv --python "$APPDIR/AppRun" lock -r > "$1" || handle_error
cd - || exit 1
}
add_agent_binaries_to_appdir() {
if [ -z "$1" ]; then
download_monkey_agent_binaries_to_appdir
else
copy_agent_binaries_to_appdir "$1"
fi
make_linux_binaries_executable
}
download_monkey_agent_binaries_to_appdir() {
log_message "Downloading monkey agent binaries to ${ISLAND_BINARIES_PATH}"
load_monkey_binary_config
mkdir -p "${ISLAND_BINARIES_PATH}" || handle_error
curl -L -o "${ISLAND_BINARIES_PATH}/${LINUX_32_BINARY_NAME}" "${LINUX_32_BINARY_URL}"
curl -L -o "${ISLAND_BINARIES_PATH}/${LINUX_64_BINARY_NAME}" "${LINUX_64_BINARY_URL}"
curl -L -o "${ISLAND_BINARIES_PATH}/${WINDOWS_32_BINARY_NAME}" "${WINDOWS_32_BINARY_URL}"
curl -L -o "${ISLAND_BINARIES_PATH}/${WINDOWS_64_BINARY_NAME}" "${WINDOWS_64_BINARY_URL}"
}
copy_agent_binaries_to_appdir() {
cp "$1"/* "$ISLAND_BINARIES_PATH/"
}
make_linux_binaries_executable() {
chmod a+x "$ISLAND_BINARIES_PATH"/monkey-linux-*
}
load_monkey_binary_config() {
tmpfile=$(mktemp)
log_message "Downloading prebuilt binary configuration"
curl -L -s -o "$tmpfile" "$CONFIG_URL"
log_message "Loading configuration"
source "$tmpfile"
}
install_mongodb() {
log_message "Installing MongoDB"
mkdir -p "$MONGO_PATH"
"${ISLAND_PATH}"/linux/install_mongo.sh "${MONGO_PATH}" || handle_error
}
generate_ssl_cert() {
log_message "Generating certificate"
chmod u+x "${ISLAND_PATH}"/linux/create_certificate.sh
"${ISLAND_PATH}"/linux/create_certificate.sh "${ISLAND_PATH}"/cc
}
build_frontend() {
pushd "$ISLAND_PATH/cc/ui" || handle_error
log_message "Generating front end"
npm ci
npm run dist
popd || handle_error
remove_node_modules
}
remove_node_modules() {
# Node has served its purpose. We don't need to deliver the node modules with
# the AppImage.
rm -rf "$ISLAND_PATH"/cc/ui/node_modules
}
add_monkey_icon() {
unlink "$APPDIR"/python.png
mkdir -p "$APPDIR"/usr/share/icons
cp "$1"/monkey_island/cc/ui/src/images/monkey-icon.svg "$APPDIR"/usr/share/icons/infection-monkey.svg
ln -s "$APPDIR"/usr/share/icons/infection-monkey.svg "$APPDIR"/infection-monkey.svg
}
add_desktop_file() {
unlink "$APPDIR/python${PYTHON_VERSION}.desktop"
cp ./infection-monkey.desktop "$APPDIR"/usr/share/applications
ln -s "$APPDIR"/usr/share/applications/infection-monkey.desktop "$APPDIR"/infection-monkey.desktop
}
add_apprun() {
cp ./AppRun "$APPDIR"
}
build_appimage() {
log_message "Building AppImage"
ARCH="x86_64" appimagetool "$APPDIR"
apply_version_to_appimage "$1"
}
apply_version_to_appimage() {
log_message "Renaming Infection_Monkey-x86_64.AppImage -> Infection_Monkey-$1-x86_64.AppImage"
mv "Infection_Monkey-x86_64.AppImage" "Infection_Monkey-$1-x86_64.AppImage"
}
agent_binary_dir=""
as_root=false
branch="develop"
monkey_repo="$DEFAULT_REPO_MONKEY_HOME"
monkey_version="dev"
while (( "$#" )); do
case "$1" in
--agent-binary-dir)
exit_if_missing_argument "$1" "$2"
agent_binary_dir=$2
shift 2
;;
--as-root)
as_root=true
shift
;;
--branch)
exit_if_missing_argument "$1" "$2"
branch=$2
shift 2
;;
-h|--help)
echo_help
;;
--monkey-repo)
exit_if_missing_argument "$1" "$2"
monkey_repo=$2
shift 2
;;
--version)
exit_if_missing_argument "$1" "$2"
monkey_version=$2
shift 2
;;
*)
echo "Error: Unsupported parameter $1" >&2
exit 1
;;
esac
done
log_message "Building Monkey Island AppImage package."
if ! $as_root && is_root; then
log_message "Please don't run this script as root"
exit 1
fi
if ! has_sudo; then
log_message "You need root permissions for some of this script operations. \
Run \`sudo -v\`, enter your password, and then re-run this script."
exit 1
fi
install_build_prereqs
install_appimage_tool
if ! is_valid_git_repo "$monkey_repo"; then
clone_monkey_repo "$monkey_repo" "$branch"
fi
setup_appdir "$agent_binary_dir" "$monkey_repo"
build_appimage "$monkey_version"
log_message "AppImage build script finished."
exit 0

9
build_scripts/appimage/clean.sh → appimage/clean.sh
View File

@ -3,10 +3,7 @@
# This is a utility script to clean up after a failed or successful AppImage build
# in order to speed up development and debugging.
APPIMAGE_DIR="$(realpath $(dirname $BASH_SOURCE[0]))"
rm -rf "$HOME/git/monkey"
rm -rf "$HOME/.monkey_island"
rm -rf "$APPIMAGE_DIR/squashfs-root"
rm "$APPIMAGE_DIR"/Infection_Monkey*.AppImage
rm "$APPIMAGE_DIR/../dist/InfectionMonkey*.AppImage"
rm -rf "$HOME/appimage/squashfs-root"
rm -rf "$HOME/git/monkey"
rm $HOME/appimage/Infection_Monkey*x86_64.AppImage

4
build_scripts/appimage/infection-monkey.desktop → appimage/infection-monkey.desktop
View File

@ -1,8 +1,8 @@
[Desktop Entry]
Type=Application
Name=InfectionMonkey
Name=Infection Monkey
Exec=bash
Comment=An automated breach and attack simulation platform
Icon=monkey-icon
Icon=infection-monkey
Categories=Development;
Terminal=true

3
build_scripts/appimage/server_config.json.standard → appimage/server_config.json.standard
View File

@ -2,7 +2,8 @@
"data_dir": "~/.monkey_island",
"log_level": "DEBUG",
"environment": {
"server_config": "password"
"server_config": "password",
"deployment": "standard"
},
"mongodb": {
"start_mongodb": true

48
build_scripts/README.md
View File

@ -1,48 +0,0 @@
# Infection Monkey Linux Package Builder
## About
This directory contains the necessary artifacts for building an Infection
Monkey packages for Linux.
## AppImage
### Building an AppImage
1. Create a clean VM or LXD (not docker!) based on Ubuntu 18.04.
1. Copy the `build_scipts/` directory to `$HOME/` in the VM.
1. On the VM, `cd $HOME/build_scripts`
1. Run `sudo -v`.
1. Execute `./build_appimage.sh`. This will pull all necessary dependencies
and build the AppImage.
NOTE: This script is intended to be run from a clean VM. You can also manually
remove build artifacts by running `appimage/clean.sh`
WARNING: If you use a LXD container, ensure that shiftfs is disabled.
### Running the AppImage
The build script will produce an AppImage executable named
`./dist/Infection_Monkey-x86_64.AppImage`. Simply execute this file and you're off to
the races.
A new directory, `$HOME/.monkey_island` will be created to store runtime
artifacts.
## Docker
### Building a Docker image
1. Create a clean Ubuntu 18.04 VM (not WSL).
1. Copy the `build_scipts/` directory to `$HOME/` in the VM.
1. On the VM, `cd $HOME/build_scripts`
1. Run `sudo -v`.
1. Execute `./build_docker.sh --package docker`. This will pull all necessary dependencies
and build the Docker image.
NOTE: This script is intended to be run from a clean VM. You can also manually
remove build artifacts by running `docker/clean.sh`
### Running the Docker Image
The build script will produce a `.tgz` file in `./dist/`. See
`docker/DOCKER_README.md` for instructions on running the docker image.

135
build_scripts/appimage/appimage.sh
View File

@ -1,135 +0,0 @@
#!/bin/bash
LINUXDEPLOY_URL="https://github.com/linuxdeploy/linuxdeploy/releases/download/continuous/linuxdeploy-x86_64.AppImage"
PYTHON_VERSION="3.7.14"
PYTHON_APPIMAGE_URL="https://github.com/niess/python-appimage/releases/download/python3.7/python${PYTHON_VERSION}-cp37-cp37m-manylinux1_x86_64.AppImage"
APPIMAGE_DIR=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
APPDIR="$APPIMAGE_DIR/squashfs-root"
BUILD_DIR="$APPDIR/usr/src"
ICON_PATH="$BUILD_DIR/monkey_island/cc/ui/src/images/monkey-icon.svg"
MONGO_PATH="$BUILD_DIR/monkey_island/bin/mongodb"
source "$APPIMAGE_DIR/../common.sh"
install_package_specific_build_prereqs() {
log_message "Installing linuxdeploy"
WORKSPACE_BIN_DIR="$1/bin"
LINUXDEPLOY_BIN="$WORKSPACE_BIN_DIR/linuxdeploy"
mkdir -p "$WORKSPACE_BIN_DIR"
curl -L -o "$LINUXDEPLOY_BIN" "$LINUXDEPLOY_URL"
chmod u+x "$LINUXDEPLOY_BIN"
PATH=$PATH:$WORKSPACE_BIN_DIR
}
setup_build_dir() {
local agent_binary_dir=$1
local monkey_repo=$2
local deployment_type=$3
local is_release_build=$4
pushd "$APPIMAGE_DIR" || handle_error
setup_python_37_appdir
mkdir -p "$BUILD_DIR"
copy_monkey_island_to_build_dir "$monkey_repo/monkey" "$BUILD_DIR"
copy_server_config_to_build_dir
copy_infection_monkey_service_to_build_dir
modify_deployment "$deployment_type" "$BUILD_DIR"
add_agent_binaries_to_build_dir "$agent_binary_dir" "$BUILD_DIR"
install_monkey_island_python_dependencies
install_mongodb
generate_ssl_cert "$BUILD_DIR"
build_frontend "$BUILD_DIR" "$is_release_build"
remove_python_appdir_artifacts
popd || handle_error
}
setup_python_37_appdir() {
PYTHON_APPIMAGE="python${PYTHON_VERSION}_x86_64.AppImage"
log_message "downloading Python3.7 Appimage"
curl -L -o "$PYTHON_APPIMAGE" "$PYTHON_APPIMAGE_URL"
chmod u+x "$PYTHON_APPIMAGE"
"./$PYTHON_APPIMAGE" --appimage-extract
rm "$PYTHON_APPIMAGE"
}
copy_infection_monkey_service_to_build_dir() {
cp "$APPIMAGE_DIR"/install-infection-monkey-service.sh "$APPDIR"
}
copy_server_config_to_build_dir() {
cp "$APPIMAGE_DIR"/server_config.json.standard "$BUILD_DIR"/monkey_island/cc/server_config.json
}
install_monkey_island_python_dependencies() {
log_message "Installing island requirements"
log_message "Installing pipenv"
"$APPDIR"/AppRun -m pip install pipenv==2022.7.4 || handle_error
export CI=1
log_message "Installing dependencies"
pushd "$BUILD_DIR/monkey_island" || handle_error
"$APPDIR"/AppRun -m pipenv --python "$APPDIR/AppRun" sync --system || handle_error
popd || handle_error
log_message "Uninstalling pipenv (build dependency only)"
"$APPDIR"/AppRun -m pip uninstall --yes pipenv virtualenv || handle_error
}
install_mongodb() {
log_message "Installing MongoDB"
mkdir -p "$MONGO_PATH"
"$BUILD_DIR/monkey_island/linux/install_mongo.sh" "${MONGO_PATH}" || handle_error
}
remove_python_appdir_artifacts() {
rm "$APPDIR"/python.png
rm "$APPDIR"/python*.desktop
rm "$APPDIR"/AppRun
}
build_package() {
local version=$1
local dist_dir=$2
log_message "Building AppImage"
pushd "$APPIMAGE_DIR" || handle_error
ARCH="x86_64" linuxdeploy \
--appdir "$APPIMAGE_DIR/squashfs-root" \
--icon-file "$ICON_PATH" \
--desktop-file "$APPIMAGE_DIR/infection-monkey.desktop" \
--custom-apprun "$APPIMAGE_DIR/AppRun" \
--deploy-deps-only="$MONGO_PATH/bin/mongod"\
--output appimage
dst_name="InfectionMonkey-$version.AppImage"
move_package_to_dist_dir "$dist_dir" "$dst_name"
popd || handle_error
}
move_package_to_dist_dir() {
mv Infection*Monkey*.AppImage "$1/$2"
}
cleanup() {
echo "Cleaning appimage build dirs"
rm -rf "$APPIMAGE_DIR/squashfs-root"
}

165
build_scripts/appimage/install-infection-monkey-service.sh
View File

@ -1,165 +0,0 @@
#!/bin/bash
set -e
SCRIPT_NAME="$(basename "${APPIMAGE}")"
SYSTEMD_UNIT_FILENAME="infection-monkey.service"
TMP_SYSTEMD_UNIT="${PWD}/${SYSTEMD_UNIT_FILENAME}"
SYSTEMD_DIR="/lib/systemd/system"
MONKEY_BIN="/opt/infection-monkey/bin"
APPIMAGE_NAME="InfectionMonkey.AppImage"
die() {
echo "$1" >&2
echo ""
echo_help
exit 1
}
echo_help() {
echo "Installs the Infection Monkey service to run on boot."
echo ""
echo "Usage:"
echo " ${SCRIPT_NAME} service --install --user <USERNAME>"
echo " ${SCRIPT_NAME} service --uninstall"
echo " ${SCRIPT_NAME} service -h|--help"
echo ""
echo "Options:"
echo " --install Install the Infection Monkey service"
echo " --user Configure the Infection Monkey service to run as a specific user"
echo " --uninstall Uninstall Infection Monkey service"
}
install_service() {
copy_appimage
install_systemd_unit "$1"
echo "The Infection Monkey service has been installed and will start on boot."
echo "Run 'systemctl start infection-monkey' to start the service now."
}
copy_appimage() {
sudo mkdir --mode=0755 -p "${MONKEY_BIN}"
if [ "${APPIMAGE}" != "${MONKEY_BIN}/${APPIMAGE_NAME}" ] ; then
umask 022
sudo cp "${APPIMAGE}" "${MONKEY_BIN}/${APPIMAGE_NAME}"
sudo chmod 755 "${MONKEY_BIN}/${APPIMAGE_NAME}"
fi
}
install_systemd_unit() {
umask 077
cat > "${TMP_SYSTEMD_UNIT}" << EOF
[Unit]
Description=Infection Monkey Runner
After=network.target
[Service]
User=$1
Type=simple
ExecStart="${MONKEY_BIN}/${APPIMAGE_NAME}"
[Install]
WantedBy=multi-user.target
EOF
sudo mv "${TMP_SYSTEMD_UNIT}" "${SYSTEMD_DIR}/${SYSTEMD_UNIT_FILENAME}"
sudo systemctl enable "${SYSTEMD_UNIT_FILENAME}" &>/dev/null
}
uninstall_service() {
if [ -f "${MONKEY_BIN}/${APPIMAGE_NAME}" ] ; then
sudo rm -f "${MONKEY_BIN}/${APPIMAGE_NAME}"
fi
if [ -f "${SYSTEMD_DIR}/${SYSTEMD_UNIT_FILENAME}" ] ; then
sudo systemctl stop "${SYSTEMD_UNIT_FILENAME}" 2>/dev/null
sudo systemctl disable "${SYSTEMD_UNIT_FILENAME}" &>/dev/null
sudo rm "${SYSTEMD_DIR}/${SYSTEMD_UNIT_FILENAME}"
sudo systemctl daemon-reload
fi
echo "The Infection Monkey service has been uninstalled"
}
exit_if_user_doesnt_exist() {
if ! user_exists "$1" ; then
die "Error: User '$1' does not exist."
fi
}
user_exists() {
id -u "$1" &>/dev/null
}
has_sudo() {
# 0 true, 1 false
sudo -nv > /dev/null 2>&1
return $?
}
exit_if_missing_argument() {
if [ -z "$2" ] || [ "${2:0:1}" == "-" ]; then
die "Error: Argument for parameter '$1' is missing."
fi
}
do_uninstall=false
do_install=false
username=""
while (( "$#" )); do
case "$1" in
--user)
exit_if_missing_argument "$1" "$2"
exit_if_user_doesnt_exist "$2"
username=$2
shift 2
;;
--install)
do_install=true
shift
;;
--uninstall)
do_uninstall=true
shift
;;
-h|--help)
echo_help
exit 0
;;
*)
die "Error: Unsupported parameter $1."
;;
esac
done
if ! has_sudo; then
die "Error: You need root permissions for some of this script operations. \
Run \`sudo -v\`, enter your password, and then re-run this script."
fi
if [ -z "${APPIMAGE}" ] ; then
die "Error: Missing 'APPIMAGE' environment variable. Try installing the Infection Monkey service through the AppImage"
fi
if $do_install && $do_uninstall ; then
die "Error: The --install and --uninstall flags are mutually exclusive."
fi
if $do_uninstall ; then
uninstall_service
exit 0
fi
if $do_install ; then
if [ -z "$username" ] ; then
die "Error: You must supply a username."
fi
install_service "$username"
exit 0
fi
die "Error:You must specify either the --install or --uninstall flag."

3
build_scripts/build_appimage.sh
View File

@ -1,3 +0,0 @@
#!/bin/bash
./build_package.sh --package appimage $@

3
build_scripts/build_docker.sh
View File

@ -1,3 +0,0 @@
#!/bin/bash
./build_package.sh --package docker $@

230
build_scripts/build_package.sh
View File

@ -1,230 +0,0 @@
WORKSPACE=${WORKSPACE:-$HOME}
DEFAULT_REPO_MONKEY_HOME=$WORKSPACE/git/monkey
MONKEY_ORIGIN_URL="https://github.com/guardicore/monkey.git"
NODE_SRC=https://deb.nodesource.com/setup_16.x
BUILD_SCRIPTS_DIR="$(realpath $(dirname $BASH_SOURCE[0]))"
DIST_DIR="$BUILD_SCRIPTS_DIR/dist"
log_message() {
echo -e "\n\n"
echo -e "MONKEY ISLAND BUILDER: $1"
}
exit_if_missing_argument() {
if [ -z "$2" ] || [ "${2:0:1}" == "-" ]; then
echo "Error: Argument for $1 is missing" >&2
exit 1
fi
}
echo_help() {
echo "usage: build_package.sh [--help] [--agent-binary-dir <PATH>] [--branch <BRANCH>]"
echo " [--monkey-repo <PATH>] [--version <MONKEY_VERSION>]"
echo " [--deployment <DEPLOYMENT_TYPE>]"
echo ""
echo "Creates a package for Infection Monkey."
echo ""
echo "--agent-binary-dir A directory containing the agent binaries that"
echo " you'd like to include with the package. If this"
echo " parameter is unspecified, the latest release"
echo " binaries will be downloaded from GitHub."
echo ""
echo "--as-root Throw caution to the wind and allow this script"
echo " to be run as root."
echo ""
echo "--branch The git branch you'd like the package to be"
echo " built from. (Default: develop)"
echo ""
echo "--monkey-repo A directory containing the Infection Monkey git"
echo " repository. If the directory is empty or does"
echo " not exist, a new repo will be cloned from GitHub."
echo " If the directory is already a valid GitHub repo,"
echo " it will be used as-is and the --branch parameter"
echo " will have no effect."
echo " (Default: $DEFAULT_REPO_MONKEY_HOME)"
echo ""
echo "--version A version number for the package."
echo ""
echo "--deployment A deployment type for the package."
echo " (Default: develop)"
echo ""
echo "--package Which package to build (\"appimage\" or \"docker.\")"
exit 0
}
is_root() {
return "$(id -u)"
}
has_sudo() {
# 0 true, 1 false
sudo -nv > /dev/null 2>&1
return $?
}
handle_error() {
echo "Fix the errors above and rerun the script"
exit 1
}
install_nodejs() {
log_message "Installing nodejs"
curl -sL $NODE_SRC | sudo -E bash -
sudo apt-get install -y nodejs
}
is_valid_git_repo() {
pushd "$1" 2>/dev/null || return 1
git status >/dev/null 2>&1
success="$?"
popd || exit 1
return $success
}
clone_monkey_repo() {
local repo_dir=$1
local branch=$2
if [[ ! -d "$repo_dir" ]]; then
mkdir -p "$repo_dir"
fi
log_message "Cloning files from git"
git clone -c core.autocrlf=false --single-branch --recurse-submodules -b "$branch" "$MONKEY_ORIGIN_URL" "$repo_dir" 2>&1 || handle_error
}
install_build_prereqs() {
sudo apt-get update
sudo apt-get upgrade -y -o Dpkg::Options::="--force-confold"
# monkey island prereqs
sudo apt-get install -y curl libcurl4 openssl git build-essential moreutils
install_nodejs
}
format_version() {
local unformatted_version=$1
local commit_id=$2
if [ -n "$unformatted_version" ]; then
echo "v$monkey_version"
else
echo "$commit_id"
fi
}
agent_binary_dir=""
as_root=false
branch="develop"
monkey_repo="$DEFAULT_REPO_MONKEY_HOME"
monkey_version=""
package=""
deployment_type=""
while (( "$#" )); do
case "$1" in
--agent-binary-dir)
exit_if_missing_argument "$1" "$2"
agent_binary_dir=$2
shift 2
;;
--as-root)
as_root=true
shift
;;
--branch)
exit_if_missing_argument "$1" "$2"
branch=$2
shift 2
;;
-h|--help)
echo_help
;;
--monkey-repo)
exit_if_missing_argument "$1" "$2"
monkey_repo=$2
shift 2
;;
--version)
exit_if_missing_argument "$1" "$2"
monkey_version=$2
shift 2
;;
--deployment)
exit_if_missing_argument "$1" "$2"
deployment_type=$2
shift 2
;;
--package)
exit_if_missing_argument "$1" "$2"
package=$2
shift 2
;;
*)
echo "Error: Unsupported parameter $1" >&2
exit 1
;;
esac
done
if ! [[ $package =~ ^(appimage|docker)$ ]]; then
log_message "Invalid package: $package."
exit 1
fi
if ! $as_root && is_root; then
log_message "Please don't run this script as root"
exit 1
fi
if ! has_sudo; then
log_message "You need root permissions for some of this script operations. \
Run \`sudo -v\`, enter your password, and then re-run this script."
exit 1
fi
log_message "Building Monkey Island: $package"
source "./$package/$package.sh"
if ! is_valid_git_repo "$monkey_repo"; then
clone_monkey_repo "$monkey_repo" "$branch"
fi
if [ ! -d "$DIST_DIR" ]; then
mkdir "$DIST_DIR"
fi
install_build_prereqs
install_package_specific_build_prereqs "$WORKSPACE"
commit_id=$(get_commit_id "$monkey_repo")
is_release_build=false
# Monkey version is empty on release build
if [ ! -z "$monkey_version" ]; then
is_release_build=true
echo -n "" > "$monkey_repo/monkey/common/BUILD"
else
echo $commit_id > "$monkey_repo/monkey/common/BUILD"
fi
setup_build_dir "$agent_binary_dir" "$monkey_repo" "$deployment_type" "$is_release_build"
monkey_version=$(format_version "$monkey_version" "$commit_id")
build_package "$monkey_version" "$DIST_DIR"
cleanup "$monkey_version"
log_message "Finished building package: $package"
exit 0

105
build_scripts/common.sh
View File

@ -1,105 +0,0 @@
CONFIG_URL="https://raw.githubusercontent.com/guardicore/monkey/develop/deployment_scripts/config"
copy_monkey_island_to_build_dir() {
local src=$1
local build_dir=$2
cp "$src"/__init__.py "$build_dir"
cp "$src"/monkey_island.py "$build_dir"
cp -r "$src"/common "$build_dir/"
rsync \
-ar \
--exclude=monkey_island/cc/ui/node_modules \
--exclude=monkey_island/cc/ui/.npm \
"$src"/monkey_island "$build_dir/"
}
modify_deployment() {
if [ -n "$1" ]; then
local deployment_file_path="$2/monkey_island/cc/deployment.json"
echo -e "{\n \"deployment\": \"$1\"\n}" > $deployment_file_path
fi
}
add_agent_binaries_to_build_dir() {
local agent_binary_dir=$1
local island_binaries_path="$2/monkey_island/cc/binaries/"
if [ -z "$agent_binary_dir" ]; then
download_monkey_agent_binaries $island_binaries_path
else
copy_agent_binaries_to_build_dir "$agent_binary_dir" "$island_binaries_path"
fi
make_linux_binaries_executable "$island_binaries_path"
}
download_monkey_agent_binaries() {
local island_binaries_path=$1
log_message "Downloading monkey agent binaries to ${island_binaries_path}"
load_monkey_binary_config
mkdir -p "${island_binaries_path}" || handle_error
curl -L -o "${island_binaries_path}/${LINUX_64_BINARY_NAME}" "${LINUX_64_BINARY_URL}"
curl -L -o "${island_binaries_path}/${WINDOWS_64_BINARY_NAME}" "${WINDOWS_64_BINARY_URL}"
}
load_monkey_binary_config() {
tmpfile=$(mktemp)
log_message "Downloading prebuilt binary configuration"
curl -L -s -o "$tmpfile" "$CONFIG_URL"
log_message "Loading configuration"
source "$tmpfile"
}
copy_agent_binaries_to_build_dir() {
cp "$1"/* "$2/"
}
make_linux_binaries_executable() {
chmod a+x "$1"/monkey-linux-*
}
generate_ssl_cert() {
local island_path="$1/monkey_island"
log_message "Generating certificate"
chmod u+x "$island_path"/linux/create_certificate.sh
"$island_path"/linux/create_certificate.sh "$island_path"/cc
}
build_frontend() {
local ui_dir="$1/monkey_island/cc/ui"
local is_release_build=$2
pushd "$ui_dir" || handle_error
log_message "Generating front end"
npm ci
if [ "$is_release_build" == true ]; then
log_message "Running production front end build"
npm run dist
else
log_message "Running development front end build"
npm run dev
fi
popd || handle_error
remove_node_modules "$ui_dir"
}
remove_node_modules() {
# Node has served its purpose. We don't need to deliver the node modules with
# the package.
rm -rf "$1/node_modules"
rm -rf "$1/.npm"
}
get_commit_id() {
local monkey_repo=$1
echo $(git -C "$monkey_repo" rev-parse --short HEAD)
}

3
build_scripts/docker/.gitignore vendored
View File

@ -1,3 +0,0 @@
dk.monkeyisland*.tar
infection_monkey_docker_*.tgz
tgz/

4
build_scripts/docker/DOCKER_README.md
View File

@ -1,4 +0,0 @@
# Infection Monkey
For instructions on setting up the Infection Monkey Docker container, see
[https://www.guardicore.com/infectionmonkey/docs/setup/docker/](https://www.guardicore.com/infectionmonkey/docs/setup/docker/).

29
build_scripts/docker/Dockerfile
View File

@ -1,29 +0,0 @@
# Install python dependencies using the bitnami/python:3.7 image, which includes
# development dependencies.
FROM bitnami/python:3.7 as builder
COPY ./monkey /monkey
WORKDIR /monkey
RUN virtualenv .
RUN export CI=1
RUN . bin/activate && \
cd monkey_island && \
pip install pipenv==2022.7.4 && \
pipenv sync
# Build the final application using the bitnami/python:3.7-prod image, which
# does not include development dependencies.
FROM bitnami/python:3.7-prod
RUN apt-get update && apt-get install -y iputils-ping && apt-get clean
COPY --from=builder /monkey /monkey
WORKDIR /monkey
EXPOSE 5000
EXPOSE 5001
ENV MONKEY_DOCKER_CONTAINER=true
RUN groupadd -r monkey-island && useradd --no-log-init -r -g monkey-island monkey-island
RUN chmod 444 /monkey/monkey_island/cc/server.key
RUN chmod 444 /monkey/monkey_island/cc/server.csr
RUN chmod 444 /monkey/monkey_island/cc/server.crt
RUN mkdir /monkey_island_data && chmod 700 /monkey_island_data && chown -R monkey-island:monkey-island /monkey_island_data
USER monkey-island
ENTRYPOINT ["/monkey/entrypoint.sh"]

14
build_scripts/docker/clean.sh
View File

@ -1,14 +0,0 @@
#!/bin/bash
# This is a utility script to clean up after a failed or successful Docker
# image build in order to speed up development and debugging
DOCKER_DIR="$(realpath $(dirname $BASH_SOURCE[0]))"
rm -rf "$HOME/git/monkey"
rm -rf "$DOCKER_DIR/monkey"
rm -rf "$DOCKER_DIR/tgz"
rm "$DOCKER_DIR"/dk.monkeyisland.*.tar
rm "$DOCKER_DIR"/infection_monkey_docker*.tgz
rm "$DOCKER_DIR"/../dist/infection_monkey_docker*.tgz

78
build_scripts/docker/docker.sh
View File

@ -1,78 +0,0 @@
DOCKER_DIR="$(realpath $(dirname $BASH_SOURCE[0]))"
DOCKER_IMAGE_NAME="guardicore/monkey-island"
source "$DOCKER_DIR/../common.sh"
install_package_specific_build_prereqs() {
sudo apt-get install -y docker.io
}
setup_build_dir() {
local agent_binary_dir=$1
local monkey_repo=$2
local is_release_build=$4
local build_dir=$DOCKER_DIR/monkey
mkdir "$build_dir"
copy_entrypoint_to_build_dir "$build_dir"
copy_monkey_island_to_build_dir "$monkey_repo/monkey" "$build_dir"
copy_server_config_to_build_dir "$build_dir"
modify_deployment "$deployment_type" "$build_dir"
add_agent_binaries_to_build_dir "$agent_binary_dir" "$build_dir"
generate_ssl_cert "$build_dir"
build_frontend "$build_dir" "$is_release_build"
}
copy_entrypoint_to_build_dir() {
cp "$DOCKER_DIR"/entrypoint.sh "$1"
chmod 755 "$1/entrypoint.sh"
}
copy_server_config_to_build_dir() {
cp "$DOCKER_DIR"/server_config.json "$1"/monkey_island/cc
}
build_package() {
local version=$1
local dist_dir=$2
pushd ./docker
tar_name="$DOCKER_DIR/InfectionMonkey-docker-$version.tar"
build_docker_image_tar "$DOCKER_IMAGE_NAME:$version" "$tar_name"
tgz_name="$DOCKER_DIR/InfectionMonkey-docker-$version.tgz"
build_docker_image_tgz "$tar_name" "$tgz_name"
move_package_to_dist_dir $tgz_name $dist_dir
popd
}
build_docker_image_tar() {
sudo docker build . -t "$1"
sudo docker save "$1" > "$2"
}
build_docker_image_tgz() {
mkdir tgz
mv "$1" ./tgz
cp ./DOCKER_README.md ./tgz/README.md
tar -C ./tgz -cvf "$2" --gzip .
}
move_package_to_dist_dir() {
mv "$1" "$2/"
}
cleanup() {
local tag=$1
echo "Cleaning docker images"
sudo docker rmi "$DOCKER_IMAGE_NAME:$tag"
sudo docker image prune --force
}

6
build_scripts/docker/entrypoint.sh
View File

@ -1,6 +0,0 @@
#!/bin/bash
echo "$@"
source /monkey/bin/activate
python /monkey/monkey_island.py "$@"

6
build_scripts/docker/server_config.json
View File

@ -1,6 +0,0 @@
{
"data_dir": "/monkey_island_data",
"mongodb": {
"start_mongodb": false
}
}

13
c/test_dumps.py
View File

@ -1,13 +0,0 @@
import json
data = {
'name' : 'myname',
'age' : 100,
}
# separators:是分隔符的意思参数意思分别为不同dict项之间的分隔符和dict项内key和value之间的分隔符后面的空格都除去了.
# dumps 将python对象字典转换为json字符串
json_str = json.dumps(data, separators=(',', ':'))
print(type(json_str), json_str)
# loads 将json字符串转化为python对象字典
pyton_obj = json.loads(json_str)
print(type(pyton_obj), pyton_obj)

1
ces.txt
View File

@ -1 +0,0 @@
是分为氛围

1
ces11.txt
View File

@ -1 +0,0 @@
123456

2
deployment_scripts/README.md
View File

@ -22,7 +22,7 @@ The first argument is an empty directory (script can create one). The second arg
- `.\deploy_windows.ps1` (Sets up monkey in current directory under .\infection_monkey)
- `.\deploy_windows.ps1 -monkey_home "C:\test"` (Sets up monkey in C:\test)
- `.\deploy_windows.ps1 -branch 'master'` (Sets up master branch instead of develop in current dir)
- `.\deploy_windows.ps1 -branch "master"` (Sets up master branch instead of develop in current dir)
You may also pass in an optional `agents=$false` parameter to disable downloading the latest agent binaries.

13
deployment_scripts/config
View File

@ -25,11 +25,24 @@ get_latest_release() {
MONKEY_LATEST_RELEASE=$(get_latest_release "guardicore/monkey")
# Monkey binaries
export LINUX_32_BINARY_NAME="monkey-linux-32"
export LINUX_32_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/monkey-linux-32"
export LINUX_64_BINARY_NAME="monkey-linux-64"
export LINUX_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/monkey-linux-64"
export WINDOWS_32_BINARY_NAME="monkey-windows-32.exe"
export WINDOWS_32_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/monkey-windows-32.exe"
export WINDOWS_64_BINARY_NAME="monkey-windows-64.exe"
export WINDOWS_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/monkey-windows-64.exe"
# Other binaries for monkey
export TRACEROUTE_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/traceroute64"
export TRACEROUTE_32_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/traceroute32"
export SAMBACRY_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/sc_monkey_runner64.so"
export SAMBACRY_32_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/sc_monkey_runner32.so"
# Swimm
export SWIMM_URL=https://github.com/swimmio/SwimmReleases/releases/download/v0.4.4-0/Swimm_0.4.4-0_Setup.deb

16
deployment_scripts/config.ps1
View File

@ -12,15 +12,28 @@ $PYTHON_URL = "https://www.python.org/ftp/python/3.7.7/python-3.7.7-amd64.exe"
# Monkey binaries
$LINUX_32_BINARY_URL = $MONKEY_DOWNLOAD_URL + "monkey-linux-32"
$LINUX_32_BINARY_PATH = "monkey-linux-32"
$LINUX_64_BINARY_URL = $MONKEY_DOWNLOAD_URL + "monkey-linux-64"
$LINUX_64_BINARY_PATH = "monkey-linux-64"
$WINDOWS_32_BINARY_URL = $MONKEY_DOWNLOAD_URL + "monkey-windows-32.exe"
$WINDOWS_32_BINARY_PATH = "monkey-windows-32.exe"
$WINDOWS_64_BINARY_URL = $MONKEY_DOWNLOAD_URL + "monkey-windows-64.exe"
$WINDOWS_64_BINARY_PATH = "monkey-windows-64.exe"
$SAMBA_32_BINARY_URL = $MONKEY_DOWNLOAD_URL + "sc_monkey_runner32.so"
$SAMBA_32_BINARY_NAME = "sc_monkey_runner32.so"
$SAMBA_64_BINARY_URL = $MONKEY_DOWNLOAD_URL + "sc_monkey_runner64.so"
$SAMBA_64_BINARY_NAME = "sc_monkey_runner64.so"
$TRACEROUTE_64_BINARY_URL = $MONKEY_DOWNLOAD_URL + "traceroute64"
$TRACEROUTE_32_BINARY_URL = $MONKEY_DOWNLOAD_URL + "traceroute32"
# Other directories and paths ( most likely you dont need to configure)
$MONKEY_ISLAND_DIR = Join-Path "\monkey" -ChildPath "monkey_island"
$MONKEY_DIR = Join-Path "\monkey" -ChildPath "infection_monkey"
$SCOUTSUITE_DIR = Join-Path "\monkey" "common" "cloud" "scoutsuite"
$SAMBA_BINARIES_DIR = Join-Path -Path $MONKEY_DIR -ChildPath "\bin"
$TEMP_PYTHON_INSTALLER = ".\python.exe"
$TEMP_MONGODB_ZIP = ".\mongodb.zip"
$TEMP_OPEN_SSL_ZIP = ".\openssl.zip"
$TEMP_CPP_INSTALLER = "cpp.exe"
$TEMP_NPM_INSTALLER = "node.msi"
@ -28,8 +41,9 @@ $TEMP_UPX_ZIP = "upx.zip"
$UPX_FOLDER = "upx-3.96-win64"
# Other url's
$MONGODB_URL = "https://downloads.mongodb.org/win32/mongodb-win32-x86_64-2012plus-v4.2-latest.zip"
$OPEN_SSL_URL = "https://indy.fulgan.com/SSL/openssl-1.0.2u-x64_86-win64.zip"
$CPP_URL = "https://go.microsoft.com/fwlink/?LinkId=746572"
$NPM_URL = "https://nodejs.org/dist/v16.14.2/node-v16.14.2-x64.msi"
$NPM_URL = "https://nodejs.org/dist/v12.14.1/node-v12.14.1-x64.msi"
$UPX_URL = "https://github.com/upx/upx/releases/download/v3.96/upx-3.96-win64.zip"
$SWIMM_URL="https://github.com/swimmio/SwimmReleases/releases/download/v0.4.4-0/Swimm-Setup-0.4.4-0.exe"

35
deployment_scripts/deploy_linux.sh
View File

@ -93,7 +93,7 @@ log_message "Cloning files from git"
branch=${2:-"develop"}
log_message "Branch selected: ${branch}"
if [[ ! -d "$monkey_home/monkey" ]]; then # If not already cloned
git clone --recurse-submodules -b "$branch" "${MONKEY_GIT_URL}" "${monkey_home}" 2>&1 || handle_error
git clone --single-branch --recurse-submodules -b "$branch" "${MONKEY_GIT_URL}" "${monkey_home}" 2>&1 || handle_error
fi
# Create folders
@ -161,15 +161,20 @@ agents=${3:-true}
if [ "$agents" = true ] ; then
log_message "Downloading binaries"
if exists wget; then
wget -c -N -P ${ISLAND_BINARIES_PATH} ${LINUX_32_BINARY_URL}
wget -c -N -P ${ISLAND_BINARIES_PATH} ${LINUX_64_BINARY_URL}
wget -c -N -P ${ISLAND_BINARIES_PATH} ${WINDOWS_32_BINARY_URL}
wget -c -N -P ${ISLAND_BINARIES_PATH} ${WINDOWS_64_BINARY_URL}
else
curl -o ${ISLAND_BINARIES_PATH}\monkey-linux-32 ${LINUX_32_BINARY_URL}
curl -o ${ISLAND_BINARIES_PATH}\monkey-linux-64 ${LINUX_64_BINARY_URL}
curl -o ${ISLAND_BINARIES_PATH}\monkey-windows-32.exe ${WINDOWS_32_BINARY_URL}
curl -o ${ISLAND_BINARIES_PATH}\monkey-windows-64.exe ${WINDOWS_64_BINARY_URL}
fi
fi
# Allow them to be executed
chmod a+x "$ISLAND_BINARIES_PATH/$LINUX_32_BINARY_NAME"
chmod a+x "$ISLAND_BINARIES_PATH/$LINUX_64_BINARY_NAME"
# If a user haven't installed mongo manually check if we can install it with our script
@ -192,7 +197,7 @@ chmod u+x "${ISLAND_PATH}"/linux/create_certificate.sh
# Update node
if ! exists npm; then
log_message "Installing nodejs"
node_src=https://deb.nodesource.com/setup_16.x
node_src=https://deb.nodesource.com/setup_12.x
if exists curl; then
curl -sL $node_src | sudo -E bash -
else
@ -202,15 +207,37 @@ if ! exists npm; then
fi
pushd "$ISLAND_PATH/cc/ui" || handle_error
npm ci
npm install sass-loader node-sass webpack --save-dev
npm update
log_message "Generating front end"
npm run dev
npm run dist
popd || handle_error
# Making dir for binaries
mkdir "${MONKEY_BIN_DIR}"
# Download sambacry binaries
log_message "Downloading sambacry binaries"
# shellcheck disable=SC2086
if exists wget; then
wget -c -N -P "${MONKEY_BIN_DIR}" ${SAMBACRY_64_BINARY_URL}
wget -c -N -P "${MONKEY_BIN_DIR}" ${SAMBACRY_32_BINARY_URL}
else
curl -o ${MONKEY_BIN_DIR}/sc_monkey_runner64.so ${SAMBACRY_64_BINARY_URL}
curl -o ${MONKEY_BIN_DIR}/sc_monkey_runner32.so ${SAMBACRY_32_BINARY_URL}
fi
# Download traceroute binaries
log_message "Downloading traceroute binaries"
# shellcheck disable=SC2086
if exists wget; then
wget -c -N -P "${MONKEY_BIN_DIR}" ${TRACEROUTE_64_BINARY_URL}
wget -c -N -P "${MONKEY_BIN_DIR}" ${TRACEROUTE_32_BINARY_URL}
else
curl -o ${MONKEY_BIN_DIR}/traceroute64 ${TRACEROUTE_64_BINARY_URL}
curl -o ${MONKEY_BIN_DIR}/traceroute32 ${TRACEROUTE_32_BINARY_URL}
fi
# Download Swimm
log_message "Downloading swimm"
if exists wget; then

42
deployment_scripts/deploy_windows.ps1
View File

@ -49,7 +49,7 @@ function Deploy-Windows([String] $monkey_home = (Get-Item -Path ".\").FullName,
# Import the config variables
$config_filename = New-TemporaryFile
$config_filename = "$PsScriptRoot\config.ps1"
$config_filename = "config.ps1"
$config_url = "https://raw.githubusercontent.com/guardicore/monkey/" + $branch + "/deployment_scripts/config.ps1"
$webClient.DownloadFile($config_url, $config_filename)
. ./config.ps1
@ -163,8 +163,25 @@ function Deploy-Windows([String] $monkey_home = (Get-Item -Path ".\").FullName,
[Environment]::SetEnvironmentVariable("Path", $env:Path, "User")
}
$install_mongo_script = (Join-Path -Path $monkey_home -ChildPath "$MONKEY_ISLAND_DIR\windows\install_mongo.ps1")
Invoke-Expression "$install_mongo_script -binDir $binDir"
# Download mongodb
if (!(Test-Path -Path (Join-Path -Path $binDir -ChildPath "mongodb")))
{
"Downloading mongodb ..."
$webClient.DownloadFile($MONGODB_URL, $TEMP_MONGODB_ZIP)
"Unzipping mongodb"
Expand-Archive $TEMP_MONGODB_ZIP -DestinationPath $binDir
# Get unzipped folder's name
$mongodb_folder = Get-ChildItem -Path $binDir | Where-Object -FilterScript {
($_.Name -like "mongodb*")
} | Select-Object -ExpandProperty Name
# Move all files from extracted folder to mongodb folder
New-Item -ItemType directory -Path (Join-Path -Path $binDir -ChildPath "mongodb")
"Moving extracted files"
Move-Item -Path (Join-Path -Path $binDir -ChildPath $mongodb_folder | Join-Path -ChildPath "\bin\*") -Destination (Join-Path -Path $binDir -ChildPath "mongodb\")
"Removing zip file"
Remove-Item $TEMP_MONGODB_ZIP
Remove-Item (Join-Path -Path $binDir -ChildPath $mongodb_folder) -Recurse
}
# Download OpenSSL
"Downloading OpenSSL ..."
@ -192,7 +209,9 @@ function Deploy-Windows([String] $monkey_home = (Get-Item -Path ".\").FullName,
"Adding binaries"
$binaries = (Join-Path -Path $monkey_home -ChildPath $MONKEY_ISLAND_DIR | Join-Path -ChildPath "\cc\binaries")
New-Item -ItemType directory -path $binaries -ErrorAction SilentlyContinue
$webClient.DownloadFile($LINUX_32_BINARY_URL, (Join-Path -Path $binaries -ChildPath $LINUX_32_BINARY_PATH))
$webClient.DownloadFile($LINUX_64_BINARY_URL, (Join-Path -Path $binaries -ChildPath $LINUX_64_BINARY_PATH))
$webClient.DownloadFile($WINDOWS_32_BINARY_URL, (Join-Path -Path $binaries -ChildPath $WINDOWS_32_BINARY_PATH))
$webClient.DownloadFile($WINDOWS_64_BINARY_URL, (Join-Path -Path $binaries -ChildPath $WINDOWS_64_BINARY_PATH))
}
@ -223,7 +242,7 @@ function Deploy-Windows([String] $monkey_home = (Get-Item -Path ".\").FullName,
"Updating npm"
Push-Location -Path (Join-Path -Path $monkey_home -ChildPath $MONKEY_ISLAND_DIR | Join-Path -ChildPath "\cc\ui")
& npm update
& npm run dev
& npm run dist
Pop-Location
# Create infection_monkey/bin directory if not already present
@ -244,6 +263,21 @@ function Deploy-Windows([String] $monkey_home = (Get-Item -Path ".\").FullName,
Remove-Item $TEMP_UPX_ZIP
}
# Download sambacry binaries
$samba_path = Join-Path -Path $monkey_home -ChildPath $SAMBA_BINARIES_DIR
$samba32_path = Join-Path -Path $samba_path -ChildPath $SAMBA_32_BINARY_NAME
if (!(Test-Path -Path $samba32_path))
{
"Downloading sambacry 32 binary"
$webClient.DownloadFile($SAMBA_32_BINARY_URL, $samba32_path)
}
$samba64_path = Join-Path -Path $samba_path -ChildPath $SAMBA_64_BINARY_NAME
if (!(Test-Path -Path $samba64_path))
{
"Downloading sambacry 64 binary"
$webClient.DownloadFile($SAMBA_64_BINARY_URL, $samba64_path)
}
# Get Swimm
"Downloading Swimm..."
$swimm_filename = Join-Path -Path $HOME -ChildPath "swimm.exe"

65
deployment_scripts/dump_attack_mitigations/attack_mitigations.py
View File

@ -1,65 +0,0 @@
from typing import Dict
from mongoengine import Document, EmbeddedDocument, EmbeddedDocumentField, ListField, StringField
from stix2 import AttackPattern, CourseOfAction
class Mitigation(EmbeddedDocument):
name = StringField(required=True)
description = StringField(required=True)
url = StringField()
@staticmethod
def get_from_stix2_data(mitigation: CourseOfAction):
name = mitigation["name"]
description = mitigation["description"]
url = get_stix2_external_reference_url(mitigation)
return Mitigation(name=name, description=description, url=url)
class AttackMitigations(Document):
technique_id = StringField(required=True, primary_key=True)
mitigations = ListField(EmbeddedDocumentField("Mitigation"))
def add_mitigation(self, mitigation: CourseOfAction):
mitigation_external_ref_id = get_stix2_external_reference_id(mitigation)
if mitigation_external_ref_id.startswith("M"):
self.mitigations.append(Mitigation.get_from_stix2_data(mitigation))
def add_no_mitigations_info(self, mitigation: CourseOfAction):
mitigation_external_ref_id = get_stix2_external_reference_id(mitigation)
if mitigation_external_ref_id.startswith("T") and len(self.mitigations) == 0:
mitigation_mongo_object = Mitigation.get_from_stix2_data(mitigation)
mitigation_mongo_object["description"] = mitigation_mongo_object[
"description"
].splitlines()[0]
mitigation_mongo_object["url"] = ""
self.mitigations.append(mitigation_mongo_object)
@staticmethod
def dict_from_stix2_attack_patterns(stix2_dict: Dict[str, AttackPattern]):
return {
key: AttackMitigations.mitigations_from_attack_pattern(attack_pattern)
for key, attack_pattern in stix2_dict.items()
}
@staticmethod
def mitigations_from_attack_pattern(attack_pattern: AttackPattern):
return AttackMitigations(
technique_id=get_stix2_external_reference_id(attack_pattern),
mitigations=[],
)
def get_stix2_external_reference_url(stix2_data) -> str:
for reference in stix2_data["external_references"]:
if "url" in reference:
return reference["url"]
return ""
def get_stix2_external_reference_id(stix2_data) -> str:
for reference in stix2_data["external_references"]:
if reference["source_name"] == "mitre-attack" and "external_id" in reference:
return reference["external_id"]
return ""

184
deployment_scripts/dump_attack_mitigations/dump_attack_mitigations.py
View File

@ -1,184 +0,0 @@
import argparse
import json
import subprocess
import time
from pathlib import Path
from typing import Dict, List
import mongoengine
import pymongo
from attack_mitigations import AttackMitigations
from bson import json_util
from stix2 import AttackPattern, CourseOfAction, FileSystemSource, Filter
COLLECTION_NAME = "attack_mitigations"
def main():
args = parse_args()
set_default_mongo_connection(args.database_name, args.mongo_host, args.mongo_port)
mongo_client = pymongo.MongoClient(host=args.mongo_host, port=args.mongo_port)
database = mongo_client.get_database(args.database_name)
clean_collection(database)
populate_attack_mitigations(database, Path(args.cti_repo))
dump_attack_mitigations(database, Path(args.cti_repo), Path(args.dump_file_path))
def parse_args():
parser = argparse.ArgumentParser(
description="Export attack mitigations from a database",
formatter_class=argparse.ArgumentDefaultsHelpFormatter,
)
parser.add_argument(
"--mongo_host", default="localhost", help="URL for mongo database.", required=False
)
parser.add_argument(
"--mongo-port",
action="store",
default=27017,
type=int,
help="Port for mongo database.",
required=False,
)
parser.add_argument(
"--database-name",
action="store",
default="monkeyisland",
help="Database name inside of mongo.",
required=False,
)
parser.add_argument(
"--cti-repo",
action="store",
default="attack_mitigations",
help="The path to the Cyber Threat Intelligence Repository.",
required=True,
)
parser.add_argument(
"--dump-file-path",
action="store",
default="./attack_mitigations.json",
help="A file path where the database dump will be saved.",
required=False,
)
return parser.parse_args()
def set_default_mongo_connection(database_name: str, host: str, port: int):
mongoengine.connect(db=database_name, host=host, port=port)
def clean_collection(database: pymongo.database.Database):
if collection_exists(database, COLLECTION_NAME):
database.drop_collection(COLLECTION_NAME)
def collection_exists(database: pymongo.database.Database, collection_name: str) -> bool:
return collection_name in database.list_collection_names()
def populate_attack_mitigations(database: pymongo.database.Database, cti_repo: Path):
database.create_collection(COLLECTION_NAME)
attack_data_path = cti_repo / "enterprise-attack"
stix2_mitigations = get_all_mitigations(attack_data_path)
mongo_mitigations = AttackMitigations.dict_from_stix2_attack_patterns(
get_all_attack_techniques(attack_data_path)
)
mitigation_technique_relationships = get_technique_and_mitigation_relationships(
attack_data_path
)
for relationship in mitigation_technique_relationships:
mongo_mitigations[relationship["target_ref"]].add_mitigation(
stix2_mitigations[relationship["source_ref"]]
)
for relationship in mitigation_technique_relationships:
mongo_mitigations[relationship["target_ref"]].add_no_mitigations_info(
stix2_mitigations[relationship["source_ref"]]
)
for key, mongo_object in mongo_mitigations.items():
mongo_object.save()
def get_all_mitigations(attack_data_path: Path) -> Dict[str, CourseOfAction]:
file_system = FileSystemSource(attack_data_path)
mitigation_filter = [Filter("type", "=", "course-of-action")]
all_mitigations = file_system.query(mitigation_filter)
all_mitigations = {mitigation["id"]: mitigation for mitigation in all_mitigations}
return all_mitigations
def get_all_attack_techniques(attack_data_path: Path) -> Dict[str, AttackPattern]:
file_system = FileSystemSource(attack_data_path)
technique_filter = [Filter("type", "=", "attack-pattern")]
all_techniques = file_system.query(technique_filter)
all_techniques = {technique["id"]: technique for technique in all_techniques}
return all_techniques
def get_technique_and_mitigation_relationships(attack_data_path: Path) -> List[CourseOfAction]:
file_system = FileSystemSource(attack_data_path)
technique_filter = [
Filter("type", "=", "relationship"),
Filter("relationship_type", "=", "mitigates"),
]
all_techniques = file_system.query(technique_filter)
return all_techniques
def dump_attack_mitigations(
database: pymongo.database.Database, cti_repo: Path, dump_file_path: Path
):
if not collection_exists(database, COLLECTION_NAME):
raise Exception(f"Could not find collection: {COLLECTION_NAME}")
metadata = get_metadata(cti_repo)
data = get_data_from_database(database)
json_output = f'{{"metadata":{json.dumps(metadata)},"data":{json_util.dumps(data)}}}'
with open(dump_file_path, "wb") as jsonfile:
jsonfile.write(json_output.encode())
def get_metadata(cti_repo: Path) -> dict:
timestamp = str(time.time())
commit_hash = get_commit_hash(cti_repo)
origin_url = get_origin_url(cti_repo)
return {"timestamp": timestamp, "commit_hash": commit_hash, "origin_url": origin_url}
def get_commit_hash(cti_repo: Path) -> str:
return run_command(["git", "rev-parse", "--short", "HEAD"], cti_repo).strip()
def get_origin_url(cti_repo: Path) -> str:
return run_command(["git", "remote", "get-url", "origin"], cti_repo).strip()
def run_command(cmd: List, cwd: Path = None) -> str:
cp = subprocess.run(cmd, capture_output=True, cwd=cwd, encoding="utf-8")
if cp.returncode != 0:
raise Exception(
f"Error running command -- Command: {cmd} -- Return Code: {cp.returncode} -- stderr: "
f"{cp.stderr}"
)
return cp.stdout
def get_data_from_database(database: pymongo.database.Database) -> pymongo.cursor.Cursor:
collection = database.get_collection(COLLECTION_NAME)
collection_contents = collection.find()
return collection_contents
if __name__ == "__main__":
main()

13
deployment_scripts/dump_attack_mitigations/requirements.txt
View File

@ -1,13 +0,0 @@
antlr4-python3-runtime==4.8
certifi==2021.5.30
charset-normalizer==2.0.6
idna==3.2
mongoengine==0.23.1
pymongo==3.12.0
pytz==2021.1
requests==2.26.0
simplejson==3.17.5
six==1.16.0
stix2==3.0.1
stix2-patterns==1.3.2
urllib3==1.26.7

4
docs/config/production/config.toml
View File

@ -1,2 +1,2 @@
baseURL = "https://monkey-documentation.website-us-southeast-1.linodeobjects.com"
canonifyURLs = false
baseURL = "https://www.guardicore.com/infectionmonkey/docs/"
canonifyURLs = true

4
docs/config/staging/config.toml
View File

@ -1,2 +1,2 @@
baseURL = "http://monkey-documentation-staging.website-us-southeast-1.linodeobjects.com"
canonifyURLs = false
baseURL = "http://staging-infectionmonkey.temp312.kinsta.cloud/docs/"
canonifyURLs = true

325
docs/content/FAQ/_index.md
View File

@ -8,139 +8,75 @@ pre: "<i class='fas fa-question'></i> "
Below are some of the most common questions we receive about the Infection Monkey. If the answer you're looking for isn't here, talk with us [on our Slack channel](https://infectionmonkey.slack.com/join/shared_invite/enQtNDU5MjAxMjg1MjU1LWM0NjVmNWE2ZTMzYzAxOWJiYmMxMzU0NWU3NmUxYjcyNjk0YWY2MDkwODk4NGMyNDU4NzA4MDljOWNmZWViNDU), email us at [support@infectionmonkey.com](mailto:support@infectionmonkey.com) or [open an issue on GitHub](https://github.com/guardicore/monkey).
- [Where can I get the latest version of the Infection Monkey?](#where-can-i-get-the-latest-version-of-the-infection-monkey)
- [I updated to a new version of the Infection Monkey and I'm being asked to delete my existing data directory. Why?](#i-updated-to-a-new-version-of-the-infection-monkey-and-im-being-asked-to-delete-my-existing-data-directory-why)
- [How can I use an old data directory?](#how-can-i-use-an-old-data-directory)
- [How long does a single Infection Monkey agent run? Is there a time limit?](#how-long-does-a-single-infection-monkey-agent-run-is-there-a-time-limit)
- [How long does it take to stop all running Infection Monkey agents?](#how-long-does-it-take-to-stop-all-running-infection-monkey-agents)
- [Is the Infection Monkey a malware/virus?](#is-the-infection-monkey-a-malwarevirus)
- [Reset the Monkey Island password](#reset-the-monkey-island-password)
- [Reset/enable the Monkey Island password](#resetenable-the-monkey-island-password)
- [Should I run the Infection Monkey continuously?](#should-i-run-the-infection-monkey-continuously)
- [Exactly what internet queries does the Infection Monkey perform?](#exactly-what-internet-queries-does-the-infection-monkey-perform)
- [Which queries does the Infection Monkey perform to the internet exactly?](#which-queries-does-the-infection-monkey-perform-to-the-internet-exactly)
- [Logging and how to find logs](#logging-and-how-to-find-logs)
- [Downloading logs](#downloading-logs)
- [Log locations](#log-locations)
- [Monkey Island server logs](#monkey-island-server-logs)
- [Infection Monkey agent logs](#infection-monkey-agent-logs)
- [Monkey Island server](#monkey-island-server)
- [Infection Monkey agent](#infection-monkey-agent)
- [How do I change the log level of the Monkey Island logger?](#how-do-i-change-the-log-level-of-the-monkey-island-logger)
- [Running the Infection Monkey in a production environment](#running-the-infection-monkey-in-a-production-environment)
- [How much of a footprint does the Infection Monkey leave?](#how-much-of-a-footprint-does-the-infection-monkey-leave)
- [What's the Infection Monkey Agent's impact on system resources usage?](#whats-the-infection-monkey-agents-impact-on-system-resources-usage)
- [What are the system resource requirements for the Monkey Island?](#what-are-the-system-resource-requirements-for-the-monkey-island)
- [What's the Infection Monkey's impact on system resources usage?](#whats-the-infection-monkeys-impact-on-system-resources-usage)
- [Is it safe to use real passwords and usernames in the Infection Monkey's configuration?](#is-it-safe-to-use-real-passwords-and-usernames-in-the-infection-monkeys-configuration)
- [How do you store sensitive information on Monkey Island?](#how-do-you-store-sensitive-information-on-monkey-island)
- [How stable are the exploits used by the Infection Monkey? Will the Infection Monkey crash my systems with its exploits?](#how-stable-are-the-exploits-used-by-the-infection-monkey-will-the-infection-monkey-crash-my-systems-with-its-exploits)
- [After I've set up Monkey Island, how can I execute the Infection Monkey agent?](#after-ive-set-up-monkey-island-how-can-i-execute-the-infection-monkey-agent)
- [How stable are the exploitations used by the Infection Monkey? Will the Infection Monkey crash my systems with its exploits?](#how-stable-are-the-exploitations-used-by-the-infection-monkey-will-the-infection-monkey-crash-my-systems-with-its-exploits)
- [After I've set up Monkey Island, how can I execute the Infection Monkey?](#after-ive-set-up-monkey-island-how-can-i-execute-the-infection-monkey-agent)
- [How can I make the Infection Monkey agents propagate “deeper” into the network?](#how-can-i-make-the-infection-monkey-agent-propagate-deeper-into-the-network)
- [What if the report returns a blank screen?](#what-if-the-report-returns-a-blank-screen)
- [Can I limit how the Infection Monkey propagates through my network?](#can-i-limit-how-the-infection-monkey-propagates-through-my-network)
- [How can I get involved with the project?](#how-can-i-get-involved-with-the-project)
## Where can I get the latest version of the Infection Monkey?
For the latest **stable** release, visit [our downloads page](https://www.akamai.com/infectionmonkey#download). **This is the recommended and supported version**!
For the latest **stable** release, visit [our downloads page](https://www.guardicore.com/infectionmonkey/#download). **This is the recommended and supported version**!
If you want to see what has changed between versions, refer to the [releases page on GitHub](https://github.com/guardicore/monkey/releases). For the latest development version, visit the [develop version on GitHub](https://github.com/guardicore/monkey/tree/develop).
## I updated to a new version of the Infection Monkey and I'm being asked to delete my existing data directory. Why?
The [data directory]({{< ref "/reference/data_directory" >}}) contains the
Infection Monkey's database and other internal
data. For the new version of Infection Monkey to work flawlessly, a data
directory with a compatible structure needs to be set up.
If you would like to save the data gathered from the Monkey's previous runs,
you can make a backup of your [existing data directory]({{< ref
"/reference/data_directory" >}}) before deleting it.
## How can I use an old data directory?
To use the data stored in a data directory from an older version, reinstall the
version of the Monkey Island which matches your data directory's version. Then,
copy the backup of your old data directory to the [appropriate location]({{<
ref "/reference/data_directory" >}}).
## How long does a single Infection Monkey agent run? Is there a time limit?
The Infection Monkey agent shuts off either when it can't find new victims or it has exceeded the quota of victims as defined in the configuration.
## How long does it take to stop all running Infection Monkey agents?
On the Infection Map page, when <b>Kill All Monkeys</b> is pressed, the agents
try to finish execution safely. This can take up to 2 minutes, but will be much
shorter on average.
## Is the Infection Monkey a malware/virus?
The Infection Monkey is not malware, but it uses similar techniques to safely
simulate malware on your network.
Because of this, the Infection Monkey gets flagged as malware by some antivirus
solutions during installation. If this happens, [verify the integrity of the
downloaded installer](/usage/file-checksums) first. Then, create a new folder
and disable antivirus scan for that folder. Lastly, re-install the Infection
Monkey in the newly created folder.
## Reset the Monkey Island password
{{% notice warning %}}
If you reset the credentials, the database will be cleared. Any findings of the Infection Monkey from previous runs will be lost. <br/><br/>
However, you can save the Monkey's existing configuration by logging in with your current credentials and clicking on the **Export config** button on the configuration page.
{{% /notice %}}
### On Windows and Linux (AppImage)
## Reset/enable the Monkey Island password
When you first access the Monkey Island server, you'll be prompted to create an account.
Creating an account will write your credentials in `credentials.json` file
under [data directory]({{< ref "/reference/data_directory" >}}).
To reset the credentials:
1. **Remove** the `credentials.json` file manually
(located in the [data directory]({{< ref "/reference/data_directory" >}})).
2. Restart the Monkey Island process:
* On Linux, simply kill the Monkey Island process and execute the AppImage.
* On Windows, restart the program.
3. Go to the Monkey Island's URL and create a new account.
If you are still unable to log into Monkey Island after following the above
steps, you can perform a complete factory reset by removing the entire [data
directory]({{< ref "/reference/data_directory" >}}) and then restarting the
Monkey Island process.
### On Docker
When you first access the Monkey Island server, you'll be prompted to create an account.
To reset the credentials, you'll need to perform a complete factory reset:
1. Kill the Monkey Island container:
```bash
sudo docker kill monkey-island
```
1. Kill the MongoDB container:
```bash
sudo docker kill monkey-mongo
```
1. Remove the MongoDB volume:
```bash
sudo docker volume rm db
```
1. Restart the MongoDB container:
```bash
sudo docker run \
--name monkey-mongo \
--network=host \
--volume db:/data/db \
--detach \
mongo:4.2
```
1. Restart the Monkey Island container
```bash
sudo docker run \
--name monkey-island \
--network=host \
guardicore/monkey-island:VERSION
```
1. Go to the Monkey Island's URL and create a new account.
To reset the credentials or enable/disable the authentication,
edit the `server_config.json` file manually
(located in the [data directory](/reference/data_directory)).
In order to reset the credentials, the following edits need to be made:
1. Delete the `user` field if one exists. It will look like this:
```json
{
...
"user": "username",
...
}
```
1. Delete the `password_hash` field if one exists. It will look like this:
```json
{
...
"password_hash": "$2b$12$d050I/MsR5.F5E15Sm7EkunmmwMkUKaZE0P0tJXG.M9tF.Kmkd342",
...
}
```
1. Set `server_config` to `password`. It should look like this:
```json
{
...
"environment": {
...
"server_config": "password",
...
},
...
}
```
Then, reset the Monkey Island process.
On Linux, use `sudo systemctl restart monkey-island.service`.
On Windows, restart the program.
Finally, go to the Monkey Island's URL and create a new account.
## Should I run the Infection Monkey continuously?
@ -159,75 +95,34 @@ If internet access is available, the Infection Monkey will use the internet for
The Monkey performs queries out to the Internet on two separate occasions:
1. The Infection Monkey agent checks if it has internet access by performing
requests to pre-configured domains. By default, these domains are
`monkey.guardicore.com` and `www.google.com`, which can be changed. The
request doesn't include any extra information - it's a GET request with no
extra parameters. Since the Infection Monkey is 100% open-source, you can
find the domains in the configuration
[here](https://github.com/guardicore/monkey/blob/85c70a3e7125217c45c751d89205e95985b279eb/monkey/infection_monkey/config.py#L152)
and the code that performs the internet check
[here](https://github.com/guardicore/monkey/blob/85c70a3e7125217c45c751d89205e95985b279eb/monkey/infection_monkey/network/info.py#L123).
This **IS NOT** used for statistics collection.
1. After the Monkey Island starts it sends a GET request with current
deployment type to the update server to fetch the latest version and a
download link for it. This information is used by the Monkey Island to
suggest an update if one is available. No information gets collected during
this process.
1. After the Monkey Island starts it sends a GET request to the analytics
server with your deployment type and a version number. This information gets
collected on the analytics server. It is used to understand which deployment
types/versions are no longer used and can be deprecated.
1. The Infection Monkey agent checks if it has internet access by performing requests to pre-configured domains. By default, these domains are `monkey.guardicore.com` and `www.google.com`, which can be changed. The request doesn't include any extra information - it's a GET request with no extra parameters. Since the Infection Monkey is 100% open-source, you can find the domains in the configuration [here](https://github.com/guardicore/monkey/blob/85c70a3e7125217c45c751d89205e95985b279eb/monkey/infection_monkey/config.py#L152) and the code that performs the internet check [here](https://github.com/guardicore/monkey/blob/85c70a3e7125217c45c751d89205e95985b279eb/monkey/infection_monkey/network/info.py#L123). This **IS NOT** used for statistics collection.
1. After installing the Monkey Island, it sends a request to check for updates on `updates.infectionmonkey.com`. The request doesn't include any PII other than the IP address of the request. It also includes the server's deployment type (e.g., Windows Server, Debian Package, AWS Marketplace) and the server's version (e.g., "1.6.3"), so we can check if we have an update available for this type of deployment. Since the Infection Monkey is 100% open-source, you can inspect the code that performs this [here](https://github.com/guardicore/monkey/blob/85c70a3e7125217c45c751d89205e95985b279eb/monkey/monkey_island/cc/services/version_update.py#L37). This **IS** used for statistics collection. However, due to this data's anonymous nature, we use this to get an aggregate assumption of how many deployments we see over a specific time period - it's not used for "personal" tracking.
## Logging and how to find logs
### Downloading logs
### Monkey Island server logs
Both Monkey Agent and Monkey Island logs can be found in the Infection Map page. Click on the
machine from which you want to download logs and press the "Download log" button on the side panel.
Note that you can only download the Monkey Island log by clicking on the Monkey Island machine in
the Infection Map.
You can download the Monkey Island's log file directly from the UI. Click the "log" section and choose **Download Monkey Island internal logfile**, like so:
![How to download logs](/images/faq/log_download.jpg "How to download logs")
![How to download Monkey Island internal log file](/images/faq/download_log_monkey_island.png "How to download Monkey Island internal log file")
### Log locations
If the logs can't be downloaded through the UI for any reason, you can collect the log files
directly from the machine where an Agent or Monkey Island ran.
#### Monkey Island server logs
The Monkey Island's log file is located in the
[data directory]({{< ref "/reference/data_directory" >}}).
It can also be found as a local file on the Monkey Island server system in the specified
[data directory](/reference/data_directory).
The log enables you to see which requests were requested from the server and extra logs from the backend logic. The log will contain entries like these:
```log
2022-04-18 13:48:43,914 - pywsgi.py:1226 - write() - INFO - 192.168.56.1 - - [2022-04-18 13:48:43] "GET /api/agent-binaries/windows HTTP/1.1" 200 21470665 0.293586
2022-04-18 13:48:49,970 - pywsgi.py:1226 - write() - INFO - 192.168.56.1 - - [2022-04-18 13:48:49] "GET /api/island-mode HTTP/1.1" 200 128 0.003426
2022-04-18 13:48:49,988 - report.py:355 - get_domain_issues() - INFO - Domain issues generated for reporting
2019-07-23 10:52:23,927 - wsgi.py:374 - _log() - INFO - 200 GET /api/local-monkey (10.15.1.75) 17.54ms
2019-07-23 10:52:23,989 - client_run.py:23 - get() - INFO - Monkey is not running
2019-07-23 10:52:24,027 - report.py:580 - get_domain_issues() - INFO - Domain issues generated for reporting
```
It's also possible to change the default log level by editing `log_level` value in a [server configuration file](../../reference/server_configuration).
`log_level` can be set to `info`(default, less verbose) or `debug`(more verbose).
### Infection Monkey agent logs
The Infection Monkey agent log file can be found in the following paths on machines where it was executed:
#### Infection Monkey agent logs
The Infection Monkey agent log file can be found in directories specified for
temporary files on the machines where it was executed. In most cases, this will
be `/tmp` on Linux and `%temp%` on Windows. The agent searches a standard list
of directories to find an appropriate place to store the log:
1. The directory named by the `TMPDIR` environment variable.
2. The directory named by the `TEMP` environment variable.
3. The directory named by the `TMP` environment variable.
4. A platform-specific location:
- On Windows, the directories `C:\TEMP`, `C:\TMP`, `\TEMP`, and `\TMP`, in that order.
- On all other platforms, the directories `/tmp`, `/var/tmp`, and `/usr/tmp`, in that order.
5. As a last resort, the current working directory.
Infection Monkey log file name is constructed to the following pattern: `infection-monkey-agent-<TIMESTAMP>-<RANDOM_STRING>.log`
- Path on Linux: `/tmp/user-1563`
- Path on Windows: `%temp%\\~df1563.tmp`
The logs contain information about the internals of the Infection Monkey agent's execution. The log will contain entries like these:
@ -245,40 +140,42 @@ The logs contain information about the internals of the Infection Monkey agent's
2019-07-22 19:16:45,013 [77598:140654230214464:DEBUG] connectionpool._make_request.396: https://updates.infectionmonkey.com:443 "GET / HTTP/1.1" 200 61
```
### How do I change the log level of the Monkey Island logger?
The log level of the Monkey Island logger is set in the `log_level` field
in the `server_config.json` file (located in the [data directory](/reference/data_directory)).
Make sure to leave everything else in `server_config.json` unchanged:
```json
{
...
"log_level": "DEBUG",
...
}
```
Logging levels correspond to [the logging level constants in python](https://docs.python.org/3.7/library/logging.html#logging-levels).
To apply the changes, reset the Monkey Island process.
On Linux, use `sudo systemctl restart monkey-island.service`.
On Windows, restart the program.
## Running the Infection Monkey in a production environment
### How much of a footprint does the Infection Monkey leave?
The Infection Monkey leaves hardly any trace on the target system. It will leave:
- Log files in [temporary directories]({{< ref "/faq/#infection-monkey-agent-logs">}}):
- Path on Linux: `/tmp/infection-monky-agent-<TIMESTAMP>-<RANDOM_STRING>.log`
- Path on Windows: `%temp%\\infection-monky-agent-<TIMESTAMP>-<RANDOM_STRING>.log`
- Log files in the following locations:
- Path on Linux: `/tmp/user-1563`
- Path on Windows: `%temp%\\~df1563.tmp`
### What's the Infection Monkey Agent's impact on system resources usage?
### What's the Infection Monkey's impact on system resources usage?
The Infection Monkey Agent uses less than a single-digit percent of CPU time and very low RAM usage. For example, on a single-core Windows Server machine, the Infection Monkey Agent consistently uses 0.06% CPU, less than 80MB of RAM and a small amount of I/O periodically.
The Infection Monkey uses less than a single-digit percent of CPU time and very low RAM usage. For example, on a single-core Windows Server machine, the Infection Monkey consistently uses 0.06% CPU, less than 80MB of RAM and a small amount of I/O periodically.
If you do experience any performance issues please let us know on [our Slack channel](https://infectionmonkey.slack.com/) or [open an issue on GitHub](https://github.com/guardicore/monkey).
### What are the system resource requirements for the Monkey Island?
#### Linux
**CPU**: Intel(R) Xeon(R) CPU @ 2.20GHz or better
**CPU Cores**: 2
**RAM**: 4GB
#### Windows
**CPU**: Intel(R) Xeon(R) CPU @ 2.20GHz or better
**CPU Cores**: 4
**RAM**: 6GB
### Is it safe to use real passwords and usernames in the Infection Monkey's configuration?
Absolutely! User credentials are stored encrypted in the Monkey Island server. This information is accessible only to users that have access to the specific Monkey Island.
@ -316,58 +213,6 @@ This is sometimes caused when Monkey Island is installed with an old version of
- **Linux**: First, uninstall the current version with `sudo apt uninstall mongodb` and then install the latest version using the [official MongoDB manual](https://docs.mongodb.com/manual/administration/install-community/).
- **Windows**: First, remove the MongoDB binaries from the `monkey\monkey_island\bin\mongodb` folder. Download and install the latest version of MongoDB using the [official MongoDB manual](https://docs.mongodb.com/manual/administration/install-community/). After installation is complete, copy the files from the `C:\Program Files\MongoDB\Server\4.2\bin` folder to the `monkey\monkey_island\bin\mongodb folder`. Try to run the Monkey Island again and everything should work.
## Can I limit how the Infection Monkey propagates through my network?
Yes! To limit how the Infection Monkey propagates through your network, you can:
#### Adjust the scan depth
The scan depth limits the number of hops that the Infection Monkey agent will
spread from patient zero. If you set the scan depth to one, the agent will only
reach a single hop from the initially infected machine. Scan depth does not
limit the number of devices, just the number of hops.
- **Example**: In this example, the scan depth is set to two. _Host A_ scans the
network and finds hosts _B, C, D_ and _E_. The Infection Monkey agent
successfully propagates from _Host A_ to _Host C_. Since the scan depth is 2,
the agent will pivot from _Host C_ and continue to scan other machines on the
network. However, if _Host C_ successfully breaches _Host E_, it will not pivot
further nor continue to scan or propagate.
![What is scan depth](/images/faq/propagation_depth_diagram.png "What is scan
depth")
#### Enable or disable scanning the local subnet
You can find the settings that define how the Infection Monkey will scan your
network in `Configuration -> Network`. Each agent will scan its entire local
subnet by default, but you can disable this behavior by unchecking the `Local
network scan` button.
#### Add IPs to the IP allow list
You can specify which hosts you want the Infection Monkey agents to attempt to
scan in the `Configuration -> Network -> Scan target list` section.
#### Add IPs to the IP block list
If there are any hosts on your network that you would like to prevent the
Infection Monkey from scanning or exploiting, you can add them to the list of
"Blocked IPs" in `Configuration -> Network -> Blocked IPs`.
#### Specify max number of victims to find/exploit
Two settings in `Configuration -> Internal -> Monkey` allow you to further
limit the Infection Monkey's propagation:
- **Max victims to find**: This limits the total number of machines that the
Infection Monkey is allowed to scan.
- **Max victims to exploit**: This limits the total number of machines that the
Infection Monkey is allowed to successfully exploit.
## How can I get involved with the project?
Infection Monkey is an open-source project, and we welcome contributions and contributors. Check out the [contribution documentation]({{< ref "/development" >}}) for more information.

4
docs/content/_index.md
View File

@ -13,7 +13,7 @@ draft: false
The Infection Monkey is an open-source breach and attack simulation tool for testing a data center's resiliency to perimeter breaches and internal server infection.
Infection Monkey will help you validate existing security solutions and will provide a view of the internal network from an attacker's perspective.
Infection Monkey is free and can be downloaded from [our homepage](https://www.akamai.com/infectionmonkey).
Infection Monkey is free and can be downloaded from [our homepage](https://infectionmonkey.com/).
![Infection Monkey Documentation Hub Logo](/images/monkey-teacher.svg?height=400px "Infection Monkey Documentation Hub Logo")
@ -40,7 +40,7 @@ A more in-depth description of reports generated can be found in the [reports do
## Getting Started
If you haven't downloaded Infection Monkey yet you can do so [from our homepage](https://www.akamai.com/infectionmonkey#download). After downloading the Monkey, install it using one of our [setup guides]({{< ref "/setup" >}}), and read our [getting started guide]({{< ref "/usage/getting-started" >}}) for a quick-start on Monkey!
If you haven't downloaded Infection Monkey yet you can do so [from our homepage](https://www.guardicore.com/infectionmonkey/#download). After downloading the Monkey, install it using one of our [setup guides]({{< ref "/setup" >}}), and read our [getting started guide]({{< ref "/usage/getting-started" >}}) for a quick-start on Monkey!
## Support and community

6
docs/content/development/_index.md
View File

@ -24,9 +24,9 @@ You can take a look at [our roadmap](https://github.com/guardicore/monkey/projec
### More exploits! 💥
The best way to find weak spots in a network is by attacking it. The [*Adding Exploits*](./adding-exploits/) page will help you add exploits.
The best way to find weak spots in a network is by attacking it. The [exploit template](https://github.com/guardicore/monkey/wiki/Exploit-templates) page will help you add exploits.
It's important to note that the Infection Monkey must be absolutely reliable. Otherwise, no one will use it, so avoid memory corruption exploits unless they're rock solid and focus on the logical vulns such as Hadoop.
It's important to note that the Infection Monkey must be absolutely reliable. Otherwise, no one will use it, so avoid memory corruption exploits unless they're rock solid and focus on the logical vulns such as Shellshock.
### Analysis plugins 🔬
@ -38,6 +38,6 @@ We always want to improve the core Infection Monkey code to make it smaller, fas
### Documentation 📚
Every project requires excellent documentation. The Infection Monkey is no different. Please feel free to open pull requests with suggestions, improvements or issues and ask us to document various parts of the Monkey.
Every project requires excellent documentation. The Infection Monkey is no different. Please feel free to open pull requests with suggestions, improvements or issues and asking us to document various parts of the Monkey.
The Infection Monkey's documentation is stored in the `/docs/content` directory.

105
docs/content/development/adding-exploits.md
View File

@ -1,110 +1,7 @@
---
title: "Adding Exploits"
date: 2020-06-08T19:53:00+03:00
draft: false
draft: true
tags: ["contribute"]
weight: 50
---
## What does this guide cover?
This guide will show you how to add a new _Exploit_ to the Infection Monkey.
An exploit is a sequence of commands that takes advantage of a security vulnerability to gain unauthorized access to a system on your network. If successful, an Infection Monkey agent is released on the exploited system. The result of an attempted exploit is sent back to the Monkey Island as part of the telemetry.
### Do I need a new Exploit?
If all you want to do is execute a shell command, configure the required commands in the Monkey Island's post-breach action (PBA) configuration section or [add a new PBA](../adding-post-breach-actions/).
However, if you have your eye on an interesting CVE that you would like the Infection Monkey to support, you must add a new exploit. Keep reading to learn how to add a new exploit.
## How to add a new Exploit
### Modify the Infection Monkey Agent
The Infection Monkey exploiters are all built in a similar way. Each exploiter class inherits from the [`HostExploiter`](https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/exploit/HostExploiter.py) class, which exposes two interface functions:
* `is_os_supported` - Returns a boolean value denoting whether the victim machine is supported by the exploiter (for example, returns `False` on Windows victim machines for the `SSHExploiter`). This can be used to thoroughly inspect a potential victim machine and decide whether to attempt the exploit on that particular machine (for example, by checking for open services matching specific versions).
* `exploit_host` - Exploits the host and returns a boolean value indicating whether or not the exploit was successful.
#### Adding a new exploiter
In the [Infection Monkey's exploit directory](https://github.com/guardicore/monkey/tree/develop/monkey/infection_monkey/exploit), add the **exploit's logic** by defining a new class that inherits from [`HostExploiter`](https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/exploit/HostExploiter.py). If your new exploit is a web RCE (remote code execution) exploit, inherit from [`WebRCE`](https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/exploit/web_rce.py).
```py
from infection_monkey.exploit.HostExploiter import HostExploiter
class MyNewExploiter(HostExploiter):
...
```
A good example of an exploiter class is the [`SSHExploiter`](https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/exploit/sshexec.py). The [Log4Shell exploiter is a recently added web RCE exploit](https://github.com/guardicore/monkey/pull/1670) that is a good reference as well.
### Modify the Monkey Island
#### Configuration
1. Add your **exploiter's description** to the [configuration schema](https://github.com/guardicore/monkey/blob/develop/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py).
```py
...
{
"type": "string",
"enum": ["SmbExploiter"],
"title": "SMB Exploiter",
"safe": True,
"attack_techniques": ["T1110", "T1075", "T1035"],
"info": "Brute forces using credentials provided by user and hashes gathered by mimikatz.",
"link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/smbexec/",
},
{
"type": "string", <=================================
"enum": ["MyNewExploiter"], <=================================
"title": "My New Exploiter", <=================================
"safe": True, <=================================
"attack_techniques": [], <=================================
"info": "Information about your new exploiter.", <=================================
"link": "Link to the documentation page explaining your new exploiter.", <=================================
},
...
```
2. Update the default **list of exploiters** in the [configuration schema](https://github.com/guardicore/monkey/blob/develop/monkey/monkey_island/cc/services/config_schema/basic.py) by adding your new exploiter's class name.
```py
...
"exploiter_classes": {
"title": "Exploiters",
"type": "array",
"uniqueItems": True,
"items": {"$ref": "#/definitions/exploiter_classes"},
"default": [
"SmbExploiter",
...
"Log4ShellExploiter",
"MyNewExploiter", <=================================
],
}
...
```
#### Reporting
1. In the [report generation pipeline](https://github.com/guardicore/monkey/blob/develop/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py), define how your **exploiter's data** should be processed and displayed in the report. Use the default `ExploitProcessor` or create a custom exploit processor if needed.
```py
class ExploiterDescriptorEnum(Enum):
SMB = ExploiterDescriptor("SmbExploiter", "SMB Exploiter", CredExploitProcessor)
...
ZEROLOGON = ExploiterDescriptor("ZerologonExploiter", "Zerologon Exploiter", ZerologonExploitProcessor)
MYNEWEXPLOITER = ExploitDescriptor("MyNewExploiter", "My New Eexploiter", ExploitProcessor) <=================================
```
2. Describe how the Monkey Island should **display your exploiter's results** by defining the UI contents in the [security report](https://github.com/guardicore/monkey/blob/develop/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js).
### Documentation
**Update the documentation** to explain what your exploiter does in the [documentation framework](https://github.com/guardicore/monkey/blob/develop/docs/content/reference/exploiters/).

10
docs/content/development/adding-post-breach-actions.md
View File

@ -16,7 +16,7 @@ If all you want to do is execute shell commands, then there's no need to add a n
## How to add a new PBA
### Modify the Infection Monkey Agent
### From the Infection Monkey Side
#### Framework
@ -39,11 +39,11 @@ class MyNewPba(PBA):
#### Implementation
If your PBA consists only of simple shell commands, you can reuse the generic PBA by passing the commands into the constructor. See the `account_discovery.py` PBA for reference.
If your PBA consists only of simple shell commands, you can reuse the generic PBA by passing the commands into the constructor. See the `add_user.py` PBA for reference.
Otherwise, you'll need to override the `run` method with your own implementation. See the `communicate_as_backdoor_user.py` PBA for reference. Make sure to send the relevant PostBreachTelem upon success/failure. You can log during the PBA as well.
Otherwise, you'll need to override the `run` method with your own implementation. See the `communicate_as_new_user.py` PBA for reference. Make sure to send the relevant PostBreachTelem upon success/failure. You can log during the PBA as well.
### Modify the Monkey Island
### From the Monkey Island Side
#### Configuration
@ -73,4 +73,4 @@ Now you can choose your PBA when configuring the Infection Monkey on the Monkey
#### Telemetry processing
If you wish to process your PBA telemetry (for example, to analyze it for report data), add a processing function to the `POST_BREACH_TELEMETRY_PROCESSING_FUNCS`, which can be found at `monkey/monkey_island/cc/services/telemetry/processing/post_breach.py`. You can reference the `process_communicate_as_backdoor_user_telemetry` method as an example.
If you wish to process your PBA telemetry (for example, to analyze it for report data), add a processing function to the `POST_BREACH_TELEMETRY_PROCESSING_FUNCS`, which can be found at `monkey/monkey_island/cc/services/telemetry/processing/post_breach.py`. You can reference the `process_communicate_as_new_user_telemetry` method as an example.

101
docs/content/development/adding-system-info-collectors.md Normal file
View File

@ -0,0 +1,101 @@
---
title: "Adding System Info Collectors"
date: 2020-06-09T11:03:42+03:00
draft: false
tags: ["contribute"]
weight: 80
---
## What does this guide cover?
This guide will show you how to create a new _System Info Collector_ for the Infection Monkey. System Info Collectors are modules that each of the Infection Monkey agents runs that collect specific information and send it back to the Monkey Island as part of the System Info Telemetry.
### Do I need a new System Info Collector?
If all you want to do is execute a shell command, then there's no need to add a new System Info Collector - just configure the required commands in the Monkey Island's post-breach action (PBA) section! Also, if there is a relevant System Info Collector and you only need to add more information to it, simply expand the existing one. Otherwise, you must add a new System Info Collector.
## How to add a new System Info Collector
### From the Monkey Island Side
#### Framework
1. Create your new System Info Collector in the following directory: `monkey/infection_monkey/system_info/collectors` by first creating a new file with the name of your System Info Collector.
2. In that file, create a class that inherits from the `SystemInfoCollector` class:
```py
from infection_monkey.system_info.system_info_collector import SystemInfoCollector
class MyNewCollector(SystemInfoCollector):
```
3. Set the System Info Collector name in the constructor, like so:
```py
class MyNewCollector(SystemInfoCollector):
def __init__(self):
super(MyNewCollector, self).__init__(name="MyNewCollector")
```
#### Implementation
Override the `collect` method with your own implementation. See the `EnvironmentCollector.py` System Info Collector for reference. You can log during collection as well.
### From the Monkey Island Side
#### Configuration
##### Definitions
You'll need to add your Sytem Info Collector to the `monkey_island/cc/services/config_schema.py` file, under `definitions/system_info_collectors_classes/anyOf`, like so:
```json
"system_info_collectors_classes": {
"title": "System Information Collectors",
"type": "string",
"anyOf": [
{
"type": "string",
"enum": [
"EnvironmentCollector"
],
"title": "Which Environment this machine is on (on prem/cloud)",
"attack_techniques": []
},
{ <=================================
"type": "string", <=================================
"enum": [ <=================================
"MyNewCollector" <=================================
], <=================================
"title": "My new title", <=================================
"attack_techniques": [] <=================================
},
],
},
```
##### properties
Also, you can add the System Info Collector to be used by default by adding it to the `default` key under `properties/monkey/system_info/system_info_collectors_classes`:
```json
"system_info_collectors_classes": {
"title": "System info collectors",
"type": "array",
"uniqueItems": True,
"items": {
"$ref": "#/definitions/system_info_collectors_classes"
},
"default": [
"EnvironmentCollector",
"MyNewCollector" <=================================
],
"description": "Determines which system information collectors will collect information."
},
```
#### Telemetry processing
1. Add a process function under `monkey_island/cc/telemetry/processing/system_info_collectors/{DATA_NAME_HERE}.py`. The function should parse the System Info Collector's result. See `processing/system_info_collectors/environment.py` for example.
2. Add that function to `SYSTEM_INFO_COLLECTOR_TO_TELEMETRY_PROCESSORS` under `monkey_island/cc/services/telemetry/processing/system_info_collectors/system_info_telemetry_dispatcher.py`.

39
docs/content/development/attack_mitigations.md
View File

@ -1,39 +0,0 @@
---
title: "MITRE ATT&CK Mitigations"
date: 2021-09-30T08:18:37+03:00
draft: true
weight: 10
---
{{% notice info %}}
Check out [the documentation for the MITRE ATT&CK techniques as well]({{< ref "/reports/mitre" >}}).
{{% /notice %}}
## Summary
Attack Mitigations are presented in MITRE ATT&CK report. They appear next to
descriptions of attack techniques and suggest steps that can be taken to reduce
the risk of that particular technique being successful in a network. They also
provide links for further reading on https://attack.mitre.org/
The Infection Monkey is shipped with pre-processed information about MITRE
ATT&CK mitigations located at
`monkey/monkey_island/cc/setup/mongo/attack_mitigations.json`. This may need to
be periodically updated as the MITRE ATT&CK framework evolves.
## Updating the MITRE ATT&CK mitigations data
1. Clone the [MITRE Cyber Threat Intelligence
Repository](https://github.com/mitre/cti) or the [Guardicore
fork](https://github.com/guardicore/cti):
```
$ CTI_REPO=$PWD/cti
$ git clone <REPO> $CTI_REPO
```
2. Start a MongoDB v4.2 server.
3. Run the script to generate the `attack_mitigations.json` file:
```
$ cd monkey/deployment_scripts/dump_attack_mitigations
$ pip install -r requirements.txt
$ python dump_attack_mitigations.py --cti-repo $CTI_REPO --dump-file-path ../../monkey/monkey_island/cc/setup/mongo/attack_mitigations.json
```

1
docs/content/development/contribute-documentation.md
View File

@ -9,7 +9,6 @@ tags: ["contribute"]
The `/docs` folder contains the Infection Monkey Documentation site.
The site is based on [Hugo](https://gohugo.io/) and the [learn](https://themes.gohugo.io/theme/hugo-theme-learn/en) theme.
The Hugo version being used is 0.92.0.
- [Directory structure](#directory-structure)
- [content](#content)

4
docs/content/development/setup-development-environment.md
View File

@ -10,13 +10,13 @@ tags: ["contribute"]
To set up a development environment using scripts, look at the readme under [`/deployment_scripts`](https://github.com/guardicore/monkey/blob/develop/deployment_scripts). If you want to set it up manually or run into problems, keep reading.
## The Infection Monkey Agent
## Agent
The agent (which we sometimes refer to as the Infection Monkey) is a single Python project under the [`infection_monkey`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey) folder. The Infection Monkey agent was built for Python 3.7. You can get it up and running by setting up a [virtual environment](https://docs.python-guide.org/dev/virtualenvs/) and installing the requirements listed in the [`requirements.txt`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/requirements.txt) inside it.
In order to compile the Infection Monkey for distribution by the Monkey Island, you'll need to run the instructions listed in the [`readme.txt`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/readme.txt) on each supported environment.
This means setting up an environment with Linux 64-bit with Python installed and a Windows 64-bit machine with developer tools, along with 64-bit Python versions.
This means setting up an environment with Linux 32/64-bit with Python installed and a Windows 64-bit machine with developer tools, along with 32/64-bit Python versions.
## The Monkey Island

4
docs/content/development/swimm.md
View File

@ -14,11 +14,11 @@ The Infection Monkey has development tutorials that use [`swimm.io`](https://swi
First, [sign up for swimm's beta](https://swimm.io/sign-beta). `swimm` is free for open-source projects, but as they're still in beta you'll need to sign up in order to download it.
After you've downloaded and installed `swimm`, open a shell in the Infection Monkey repo folder and run:
After you've downloaded and installed `swimm`, open a shell in the Infeciton Monkey repo folder and run:
```shell script
swimm start
```
```
A local web server with the currently available tutorials should show up, and will look something like this:

4
docs/content/reference/_index.md
View File

@ -4,11 +4,11 @@ date = 2020-05-26T20:55:04+03:00
weight = 30
chapter = true
pre = '<i class="fas fa-layer-group"></i> '
tags = ["reference"]
tags = ["reference"]
+++
# Reference
Find detailed information about the Infection Monkey:
Find detailed information about the Infection Monkey.
{{% children %}}

18
docs/content/reference/agent_propagation.md
View File

@ -1,18 +0,0 @@
---
title: "Agent propagation"
date: 2022-06-03T13:17:22+05:30
draft: false
pre: '<i class="fas fa-user-secret"></i> '
weight: 2
tags: ["agent", "propagation", "reference"]
---
## How does the Infection Monkey Agent propagate to a new machine?
The agent propagates using remote code execution vulnerabilities. Once the
agent has achieved remote code execution on the victim, it executes commands
that are similar to the ones described in [manual run
page.](../../usage/running-manually/)
On Windows targets, the agent is copied to `C:\Windows\temp\monkey64.exe`. On
Linux targets, it is copied to `/tmp/monkey`.

27
docs/content/reference/data_directory.md
View File

@ -16,30 +16,3 @@ configuration files, etc.
On Linux, the default path is `$HOME/.monkey_island`.
On Windows, the default path is `%AppData%\monkey_island`.
## How do I configure the location of the data directory on Linux?
The location of the data directory is set in the `data_dir` field in the
`server_config.json` file.
1. [Create a custom server_config.json file](../server_configuration) and set the `data_dir` field. Its
contents will look like this:
```json
{
"log_level": "DEBUG",
"environment": {
"server_config": "password"
},
"mongodb": {
"start_mongodb": true
},
"data_dir": "<PATH_TO_DATA_DIR>"
}
```
1. Start the Infection Monkey with the `--server-config` parameter.
```bash
$ InfectionMonkey-VERSION.AppImage --server-config <PATH_TO_SERVER_CONFIG>
```

35
docs/content/reference/exploiters/Drupal.md Normal file
View File

@ -0,0 +1,35 @@
---
title: "Drupal"
date: 2020-09-01T08:42:46+03:00
draft: false
tags: ["exploit", "linux", "windows"]
---
The Drupal exploiter exploits [CVE-2019-6340](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340)
on a vulnerable Drupal server.
### Description
Some field types do not properly sanitize data from non-form sources in certain versions
of Drupal server.
This can lead to arbitrary PHP code execution in some cases.
### Affected Versions
* Drupal 8.5.x (before 8.5.11) and Drupal 8.6.x (before 8.6.10).
One of the following conditions must hold:
* The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH
or POST requests; OR
* The site has another web services module enabled, like JSON:API in
Drupal 8, or Services or RESTful Web Services in Drupal 7.
### Notes
* The Infection Monkey exploiter implementation is based on an open-source
[Python implementation](https://gist.github.com/leonjza/d0ab053be9b06fa020b66f00358e3d88/f9f6a5bb6605745e292bee3a4079f261d891738a)
of the exploit by @leonjza.
* For the full attack to work, more than one vulnerable URL is required.

13
docs/content/reference/exploiters/ElasticGroovy.md Normal file
View File

@ -0,0 +1,13 @@
---
title: "ElasticGroovy"
date: 2020-07-14T08:41:40+03:00
draft: false
tags: ["exploit", "windows", "linux"]
---
### Description
CVE-2015-1427
> The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x (before 1.4.3) allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
The logic is based on the [Metasploit module](https://github.com/rapid7/metasploit-framework/blob/12198a088132f047e0a86724bc5ebba92a73ac66/modules/exploits/multi/elasticsearch/search_groovy_script.rb).

37
docs/content/reference/exploiters/Log4Shell.md
View File

@ -1,37 +0,0 @@
---
title: "Log4Shell"
date: 2022-01-12T14:07:23+05:30
draft: false
tags: ["exploit", "linux", "windows"]
---
The Log4Shell exploiter exploits
[CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).
### Description
Some versions of Apache Log4j, a Java logging framework, have a logging feature
called "Message Lookup Substitution" enabled by default. This allows replacing
certain special strings by dynamically-generated strings at the time of
logging. If log messages or log message parameters can be controlled by an
attacker, arbitrary code can be executed. The Log4Shell exploiter takes
advantage of this vulnerability to propagate to a victim machine.
You can learn more about this vulnerability and potential mitigations
[here](https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.15.0_.28Java_8.29).
### Services exploited
The Infection Monkey will attempt to exploit the Log4Shell vulnerability in the
following services:
- Apache Solr
- Apache Tomcat
- Logstash
**Note**: Even if none of these services are running in your environment,
running the Log4Shell exploiter can be a good way to test your IDS/IPS or EDR
solutions. These solutions should detect that the Infection Monkey is attempting
to exploit the Log4Shell vulnerability and raise an appropriate alert.

14
docs/content/reference/exploiters/MS08-067.md Normal file
View File

@ -0,0 +1,14 @@
---
title: "MS08 067"
date: 2020-07-14T08:42:54+03:00
draft: false
tags: ["exploit", "windows"]
---
### Description
[MS08-067](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067) is a remote code execution vulnerability.
This exploiter is unsafe. It's therefore **not** enabled by default.
If an exploit attempt fails, this could also lead to a crash in Svchost.exe. If a crash in Svchost.exe occurs, the server service will be affected. This may cause a system crash due to the use of buffer overflow.

2
docs/content/reference/exploiters/MsSQL.md
View File

@ -7,4 +7,4 @@ tags: ["exploit", "windows"]
### Description
For this exploit, the Infection Monkey will try to brute force into an MsSQL server and use an insecure configuration to execute commands on the server.
For this exploit, the Infection Monkey will try to brute force into a MsSQL server and use an insecure configuration to execute commands on the server.

65
docs/content/reference/exploiters/PowerShell.md
View File

@ -1,65 +0,0 @@
---
title: "PowerShell"
date: 2021-08-24T12:19:21+03:00
draft: false
tags: ["exploit", "windows"]
---
### Description
This exploiter uses brute-force to propagate to a victim through PowerShell
Remoting using Windows Remote Management (WinRM).
See Microsoft's documentation for more on [PowerShell Remoting
Protocol](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1)
and [Windows Remote
Management](https://docs.microsoft.com/en-us/windows/win32/winrm/portal).
##### Credentials used
The PowerShell exploiter can be run from both Linux and Windows attackers. On
Windows attackers, the exploiter has the ability to use the cached username
and/or password from the current user. On both Linux and Windows attackers, the
exploiter uses all combinations of the [user-configured usernames and
passwords]({{< ref "/usage/configuration/basic-credentials" >}}), as well as LM or NT hashes that have been collected. Different combinations of
credentials are attempted in the following order:
1. **Cached username and password (Windows attacker only)** - The exploiter will
use the stored credentials of the current user to attempt to log into the
victim machine.
1. **Brute force usernames with blank passwords** - Windows allows you to
configure a user with a blank/empty password. The exploiter will attempt to
log into the victim machine using each username set in the
[configuration]({{< ref "/usage/configuration/basic-credentials" >}}) with a
blank password.
In order for the attacker to connect with a blank password, the victim must
have enabled basic authentication, http and no encryption.
1. **Brute force usernames with cached password (Windows attacker only)** - The
exploiter will attempt to log into the victim machine using each username
set in the [configuration]({{< ref "/usage/configuration/basic-credentials"
>}}) and the current user's cached password.
1. **Brute force usernames and passwords** - The exploiter will attempt to use
all combinations of usernames and passwords that were set in the
[configuration.]({{< ref "/usage/configuration/basic-credentials" >}})
1. **Brute force usernames and LM hashes** - The exploiter will attempt to use
all combinations of usernames that were set in the [configuration]({{< ref
"/usage/configuration/basic-credentials" >}}) and LM hashes that were
collected from any other victims.
1. **Brute force usernames and NT hashes** - The exploiter will attempt to use
all combinations of usernames that were set in the [configuration]({{< ref
"/usage/configuration/basic-credentials" >}}) and NT hashes that were
collected from any other victims.
#### Securing PowerShell Remoting
Information about how to remediate security concerns related to PowerShell
Remoting can be found
[here](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.1).

9
docs/content/reference/exploiters/Sambacry.md Normal file
View File

@ -0,0 +1,9 @@
---
title: "Sambacry"
date: 2020-07-14T08:42:02+03:00
draft: false
tags: ["exploit", "linux"]
---
### Description
This exploit brute forces machines and searches for anonymous shares. It is partially based on [the following implementation](https://github.com/CoreSecurity/impacket/blob/master/examples/sambaPipe.py) by CORE Security Technologies' impacket.

9
docs/content/reference/exploiters/Struts2.md Normal file
View File

@ -0,0 +1,9 @@
---
title: "Struts2"
date: 2020-07-14T08:42:30+03:00
draft: false
tags: ["exploit", "linux", "windows"]
---
### Description
This exploit, CVE-2017-5638, utilizes the Struts 2 Java web framework. The logic is based on [VEX WOO's PoC](https://www.exploit-db.com/exploits/41570).

9
docs/content/reference/exploiters/VSFTPD.md Normal file
View File

@ -0,0 +1,9 @@
---
title: "VSFTPD"
date: 2020-07-14T08:42:39+03:00
draft: false
tags: ["exploit", "linux"]
---
### Description
This exploits a malicious backdoor that was added to the VSFTPD download archive. The logic is based on [this MetaSploit module](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb).

9
docs/content/reference/exploiters/WebLogic.md Normal file
View File

@ -0,0 +1,9 @@
---
title: "WebLogic"
date: 2020-07-14T08:42:46+03:00
draft: false
tags: ["exploit", "linux", "windows"]
---
### Description
This exploits CVE-2017-10271 and CVE-2019-2725 vulnerabilities on a vulnerable WebLogic server.

16
docs/content/reference/exploiters/Zerologon.md
View File

@ -10,7 +10,7 @@ The Zerologon exploiter exploits [CVE-2020-1472](https://cve.mitre.org/cgi-bin/c
### Description
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). The Zerologon exploiter takes advantage of this vulnerability to steal credentials from the domain controller. This allows the Infection Monkey to propagate to the machine using one of the brute force exploiters (for example, the SMB Exploiter).
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC).
To download the relevant security update and read more, click [here](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472).
@ -21,10 +21,10 @@ is, therefore, **not** enabled by default.
During successful exploitation, the Zerologon exploiter:
* Will temporarily change the target domain controller's password.
* May break the target domain controller's communication with other systems in the network, affecting functionality.
* May change the administrator's password.
* Will *attempt* to revert all changes.
* will temporarily change the target domain controller's password.
* may break the target domain controller's communication with other systems in the network, affecting functionality.
* may change the administrator's password.
* will *attempt* to revert all changes.
While the Zerologon exploiter is usually successful in reverting its changes
and restoring the original passwords, it sometimes fails. Restoring passwords
@ -58,17 +58,17 @@ to regain access to the system.
#### Use Reset-ComputerMachinePassword
If you are able to log in as the administrator, you can use the
If you are able to login as the administrator, you can use the
[Reset-ComputerMachinePassword](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1)
powershell command to restore the domain controller's password.
#### Try a Zerologon password restoration tool
#### Try a zerologon password restoration tool
If all other approaches fail, you can try the tools and steps found
[here](https://github.com/risksense/zerologon).
### Note
### Notes
* The Infection Monkey exploiter implementation is based on implementations by [@dirkjanm](https://github.com/dirkjanm/CVE-2020-1472/) and [@risksense](https://github.com/risksense/zerologon).

2
docs/content/reference/exploiters/_index.md
View File

@ -9,7 +9,7 @@ tags = ["reference", "exploit"]
# Exploiters
The Infection Monkey uses various remote code execution (RCE) exploiters. To our best knowledge, most of these pose no risk to performance or services on victim machines. This documentation serves as a quick introduction to the exploiters currently implemented and the vulnerabilities they use:
The Infection Monkey uses various remote code execution (RCE) exploiters. To our best knowledge, most of these pose no risk to performance or services on victim machines. This documentation serves as a quick introduction to the exploiters currently implemented and the vulnerabilities they use.
{{% children %}}

11
docs/content/reference/exploiters/shellshock.md Normal file
View File

@ -0,0 +1,11 @@
---
title: "ShellShock"
date: 2020-07-14T08:41:32+03:00
draft: false
tags: ["exploit", "linux"]
---
### Description
This exploit, CVE-2014-6271, is based on the [logic in NCC group's GitHub](https://github.com/nccgroup/shocker/blob/master/shocker.py).
> In GNU Bash (through 4.3), processes trailing strings after function definitions in the values of environment variables allow remote attackers to execute arbitrary code via a crafted environment. This is demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients and other situations in which setting the environment occurs across a privilege boundary from Bash execution, AKA "ShellShock."

1
docs/content/reference/mitre_techniques.md
View File

@ -18,6 +18,7 @@ In the following table, we list all the MITRE ATT&CK techniques the Infection Mo
| TACTIC | TECHNIQUES |
|--- |--- |
| [Execution](https://attack.mitre.org/tactics/TA0002/) | [Command-line Interface](https://attack.mitre.org/techniques/T1059/) |
| | [Execution Through Module Load](https://attack.mitre.org/techniques/T1129/) |
| | [Execution Through API](https://attack.mitre.org/techniques/T1106/) |
| | [Powershell](https://attack.mitre.org/techniques/T1086/) |
| | [Scripting](https://attack.mitre.org/techniques/T1064/) |

19
docs/content/reference/operating_systems_support.md
View File

@ -4,7 +4,7 @@ date: 2020-07-14T08:09:53+03:00
draft: false
pre: '<i class="fas fa-laptop"></i> '
weight: 10
tags: ["setup", "reference", "windows", "linux"]
tags: ["setup", "reference", "windows", "linux"]
---
The Infection Monkey project supports many popular OSes (but we are always interested in supporting more).
@ -44,4 +44,21 @@ Compatibility depends on GLIBC version (2.14+)[^1]. By default, these distributi
We also provide a Dockerfile on our [website](http://infectionmonkey.com/) that lets the Monkey Island run inside a container.
### Old machine bootloader
Some **older machines** still have partial compatibility and will be exploited and reported, but the Infection Monkey agent can't run on them. In these cases, old machine bootloader (a small C program) will be run, which reports some minor info like network interface configuration, GLIBC version, OS, etc.
**Old machine bootloader** also has a GLIBC 2.14+ requirement for Linux because the bootloader is included in the Pyinstaller bootloader, which uses Python 3.7 that in turn requires GLIBC 2.14+. If you think partial support for older machines is important, don't hesitate to open a new issue about it.
**Old machine bootloader** runs on machines with:
- Centos 7+
- Debian 7+
- Kali 2019+
- Oracle 7+
- Rhel 7+
- Suse 12+
- Ubuntu 14+
- **Windows XP/Server 2003+**
[^1]: The GLIBC >= 2.14 requirement exists because the Infection Monkey was built using this GLIBC version, and GLIBC is not backward compatible. We are also limited to the oldest GLIBC version compatible with Python 3.7.

6
docs/content/reference/scanners/_index.md
View File

@ -29,13 +29,14 @@ The currently implemented Fingerprint modules are:
2. [`SSHFinger`][ssh-finger] - Fingerprints target machines over SSH (port 22) and extracts the computer version and SSH banner.
3. [`PingScanner`][ping-scanner] - Fingerprints target machine's TTL to differentiate between Linux and Windows hosts.
4. [`HTTPFinger`][http-finger] - Detects HTTP/HTTPS services, using the ports listed in `HTTP_PORTS` in the configuration, will return the server type and if it supports SSL.
5. [`ElasticFinger`][elastic-finger] - Fingerprints ElasticSearch (port 9200) and will extract the cluster name, node name and node version.
5. [`MySQLFinger`][mysql-finger] - Fingerprints MySQL (port 3306) and will extract MySQL banner info - version, major/minor/build and capabilities.
6. [`ElasticFinger`][elastic-finger] - Fingerprints ElasticSearch (port 9200) will extract the cluster name, node name and node version.
## Adding a scanner/fingerprinter
To add a new scanner/fingerprinter, create a new class that inherits from [`HostScanner`][host-scanner] or [`HostFinger`][host-finger] (depending on the interface). The class should be under the network module and imported under [`network/__init__.py`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/network/__init__.py).
To use the new scanner/fingerprinter by default, modify [`infection_monkey/config.py`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/config.py) to add references to the new class.
To use the new scanner/fingerprinter by default, two files need to be changed - [`infection_monkey/config.py`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/config.py) and [`infection_monkey/example.conf`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/example.conf) to add references to the new class.
At this point, the Infection Monkey knows how to use the new scanner/fingerprinter but to make it easy to use, the UI needs to be updated. The relevant UI file is [`monkey_island/cc/services/config.py`](https://github.com/guardicore/monkey/blob/master/monkey/monkey_island/cc/services/config.py).
@ -43,6 +44,7 @@ At this point, the Infection Monkey knows how to use the new scanner/fingerprint
[http-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/httpfinger.py
[host-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/__init__.py
[host-scanner]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/__init__.py
[mysql-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/mysqlfinger.py
[ping-scanner]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/ping_scanner.py
[smb-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/smbfinger.py
[ssh-finger]: https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/network/sshfinger.py

47
docs/content/reference/server_configuration.md
View File

@ -1,47 +0,0 @@
---
title: "Server configuration"
date: 2021-11-26T12:00:19+02:00
draft: true
pre: '<i class="fas fa-cogs"></i> '
weight: 1
---
## Configuring the Island
The Island Server(C&C) is configured by creating a `server_config.json` file.
### Creating a configuration file
Here's an example `server_config.json` with all options specified:
```json
{
"log_level": "DEBUG",
"ssl_certificate": {
"ssl_certificate_file": "<PATH_TO_CRT_FILE>",
"ssl_certificate_key_file": "<PATH_TO_KEY_FILE>"
},
"mongodb": {
"start_mongodb": true
},
"data_dir": "/monkey_island_data"
}
```
Only relevant options can be specified, for example:
```json
{
"ssl_certificate": {
"ssl_certificate_file": "<PATH_TO_CRT_FILE>",
"ssl_certificate_key_file": "<PATH_TO_KEY_FILE>"
}
}
```
### Configuration options
See setup instructions for your operating system to understand how to apply these.
- `log_level` - can be set to `"DEBUG"`(verbose), `"INFO"`(less verbose) or `"ERROR"`(silent, except errors).
- `ssl_certificate` - contains paths for files, required to run the Island server with custom certificate.
- `data_dir` - path to a writeable directory where the Island will store the database and other files.
- `mongodb` - options for MongoDB. Should not be changed unless you want to run your own instance of MongoDB.

2
docs/content/reports/_index.md
View File

@ -8,6 +8,6 @@ pre = "<i class='fas fa-scroll'></i> "
# Infection Monkey's Reports
The Infection Monkey offers four reports:
The Infection Monkey offers three reports:
{{% children description=true style="p"%}}

3
docs/content/reports/mitre.md
View File

@ -2,7 +2,6 @@
title: "MITRE ATT&CK report"
description: "Maps the Monkey's actions to the MITRE ATT&CK knowledge base"
date: 2020-06-24T21:17:18+03:00
weight: 3
draft: false
---
@ -18,7 +17,7 @@ Watch the overview video:
## How to use the report
The MITRE ATT&CK report is centered around the ATT&CK matrix:
The MITRE ATT&CK report is centred around the ATT&CK matrix:
![MITRE Report](/images/usage/reports/mitre-report-0.png "MITRE Report")

49
docs/content/reports/ransomware.md
View File

@ -1,49 +0,0 @@
---
title: "Ransomware report"
date: 2021-08-05T13:23:10+03:00
weight: 4
draft: false
description: "Provides information about ransomware simulation on your network"
---
{{% notice info %}}
Check out [the Infection Monkey's ransomware simulation documentation]({{< ref
"/usage/scenarios/ransomware-simulation" >}}) and [the documentation for other
available reports]({{< ref "/reports" >}}).
{{% /notice %}}
The Infection Monkey can be configured to [simulate a ransomware
attack](/usage/scenarios/ransomware-simulation) on your network. After running,
it generates a **Ransomware Report** that provides you with insight into how
ransomware might behave within your environment.
The report is split into three sections:
- [Breach](#breach)
- [Lateral Movement](#lateral-movement)
- [Attack](#attack)
## Breach
The breach section shows when and where the ransomware infection began.
![Breach](/images/usage/reports/ransomware_report_1_breach.png "Breach")
## Lateral movement
The lateral movement section provides information about how the simulated
ransomware was able to propagate through your network.
![Lateral
Movement](/images/usage/reports/ransomware_report_2_lateral_movement.png
"Lateral Movement")
## Attack
The attack section shows the details of what the simulated ransomware
successfully encrypted, including a list of specific files.
![Attack](/images/usage/reports/ransomware_report_3_attack.png "Attack")

1
docs/content/reports/security.md
View File

@ -1,7 +1,6 @@
---
title: "Security report"
date: 2020-06-24T21:16:10+03:00
weight: 1
draft: false
description: "Provides actionable recommendations and insight into an attacker's view of your network"
---

5
docs/content/reports/zero-trust.md
View File

@ -1,7 +1,6 @@
---
title: "Zero Trust report"
date: 2020-06-24T21:16:18+03:00
weight: 2
draft: false
description: "Generates a status report with detailed explanations of Zero Trust security gaps and prescriptive instructions on how to rectify them"
---
@ -27,9 +26,9 @@ This diagram provides you with a quick glance at how your organization scores on
![Zero Trust Report summary](/images/usage/reports/ztreport1.png "Zero Trust Report summary")
## Test results
## Test Results
This section shows how your network fared against each of the tests the Infection Monkey ran. The tests are ordered by Zero Trust pillar, so you can quickly navigate to the category you want to prioritize.
This section shows how your network fared against each of the tests the Infection Monkey ran. The tests are ordered by Zero Trust pillar, so you can quickly navigate to the category you want to prioritize.
![Zero Trust Report test results](/images/usage/reports/ztreport2.png "Zero Trust Report test results")

2
docs/content/setup/accounts-and-security.md
View File

@ -11,6 +11,8 @@ tags: ["usage", "password"]
The first time you launch Monkey Island (the Infection Monkey C&C server), you'll be prompted to create an account and secure your island. After account creation, the server will only be accessible via the credentials you entered.
If you want an island to be accessible without credentials, press *I want anyone to access the island*. Please note that this option is insecure, and you should only use it in development environments.
## Resetting your account credentials
This procedure is documented in [the FAQ]({{< ref "/faq/#how-do-i-reset-the-monkey-island-password" >}}).

7
docs/content/setup/aws.md
View File

@ -24,7 +24,12 @@ When ready, you can browse to the Infection Monkey running on the fresh deployme
`https://{public-ip}:5000`
To login to the machine, use *ubuntu* username.
You will be presented with a login page. Enter the username **monkey**, and the
new EC2 instance's **instance ID** for your password. To find your instance ID,
go to the EC2 console and select your instance. It should appear in the details
pane below.
![AWS instance ID](../../images/setup/aws/aws-instance-id.png "AWS instance ID")
## Integration with AWS services

168
docs/content/setup/docker.md
View File

@ -23,20 +23,16 @@ The Infection Monkey Docker container works on Linux only. It is not compatible
1. Extract the Monkey Island Docker tarball:
```bash
tar -xvzf InfectionMonkey-docker-v1.13.0.tgz
tar -xvzf monkey-island-docker.tar.gz
```
1. Load the Monkey Island Docker image:
```bash
sudo docker load -i InfectionMonkey-docker-v1.13.0.tar
sudo docker load -i dk.monkeyisland.1.10.0.tar
```
### 2. Start MongoDB
{{% notice info %}}
If you are upgrading the Infection Monkey to a new version, be sure to remove
any MongoDB containers or volumes associated with the previous version.
{{% /notice %}}
1. Start a MongoDB Docker container:
@ -49,115 +45,95 @@ any MongoDB containers or volumes associated with the previous version.
mongo:4.2
```
### 3. Start Monkey Island with default certificate
### 3a. Start Monkey Island with default certificate
By default, Infection Monkey comes with a [self-signed SSL certificate](https://aboutssl.org/what-is-self-sign-certificate/). In
enterprise or other security-sensitive environments, it is recommended that the
user [provide Infection Monkey with a
certificate](#start-monkey-island-with-user-provided-certificate) that has
certificate](#3b-start-monkey-island-with-user-provided-certificate) that has
been signed by a private certificate authority.
1. Run the Monkey Island server
```bash
sudo docker run \
--tty \
--interactive \
--name monkey-island \
--network=host \
guardicore/monkey-island:VERSION
guardicore/monkey-island:1.10.0
```
### 3b. Start Monkey Island with user-provided certificate
1. Create a directory named `monkey_island_data`. This will serve as the
location where Infection Monkey stores its configuration and runtime
artifacts.
```bash
mkdir ./monkey_island_data
chmod 700 ./monkey_island_data
```
1. Run Monkey Island with the `--setup-only` flag to populate the `./monkey_island_data` directory with a default `server_config.json` file.
```bash
sudo docker run \
--rm \
--name monkey-island \
--network=host \
--user "$(id -u ${USER}):$(id -g ${USER})" \
--volume "$(realpath ./monkey_island_data)":/monkey_island_data \
guardicore/monkey-island:1.10.0 --setup-only
```
1. Move your `.crt` and `.key` files to `./monkey_island_data`.
1. Make sure that your `.crt` and `.key` files are readable and writeable only by you.
```bash
chmod 600 ./monkey_island_data/<KEY_FILE>
chmod 600 ./monkey_island_data/<CRT_FILE>
```
1. Edit `./monkey_island_data/server_config.json` to configure Monkey Island
to use your certificate. Your config should look something like this:
```json {linenos=inline,hl_lines=["11-14"]}
{
"data_dir": "/monkey_island_data",
"log_level": "DEBUG",
"environment": {
"server_config": "password",
"deployment": "docker"
},
"mongodb": {
"start_mongodb": false
},
"ssl_certificate": {
"ssl_certificate_file": "/monkey_island_data/<CRT_FILE>",
"ssl_certificate_key_file": "/monkey_island_data/<KEY_FILE>"
}
}
```
1. Start the Monkey Island server:
```bash
sudo docker run \
--name monkey-island \
--network=host \
--user "$(id -u ${USER}):$(id -g ${USER})" \
--volume "$(realpath ./monkey_island_data)":/monkey_island_data \
guardicore/monkey-island:1.10.0
```
### 4. Accessing Monkey Island
After the Monkey Island docker container starts, you can access Monkey Island by pointing your browser at `https://localhost:5000`.
## Configuring the server
You can configure the server by mounting a volume and specifying a
[server configuration file](../../reference/server_configuration):
1. Create a directory for server configuration file, e.g. `monkey_island_data`:
```bash
mkdir ./monkey_island_data
chmod 700 ./monkey_island_data
```
1. Move your `server_config.json` file to `./monkey_island_data` directory.
1. Run the container with a mounted volume, specify the path to the `server_config.json`:
```bash
sudo docker run \
--rm \
--name monkey-island \
--network=host \
--user "$(id -u ${USER}):$(id -g ${USER})" \
--volume "$(realpath ./monkey_island_data)":/monkey_island_data \
guardicore/monkey-island:VERSION --setup-only --server-config="/monkey_island_data/server_config.json"
```
### Start Monkey Island with user-provided certificate
By default, Infection Monkey comes with a [self-signed SSL
certificate](https://aboutssl.org/what-is-self-sign-certificate/). In
enterprise or other security-sensitive environments, it is recommended that the
user provide Infection Monkey with a certificate that has been signed by a
private certificate authority.
1. Terminate the docker container if it's already running.
1. Move your `.crt` and `.key` files to `./monkey_island_data` (directory created for the volume).
1. Make sure that your `.crt` and `.key` files are readable only by you.
```bash
chmod 600 <PATH_TO_KEY_FILE>
chmod 600 <PATH_TO_CRT_FILE>
```
1. Modify the [server configuration file](../../reference/server_configuration) and add the following lines:
```json
{
"ssl_certificate": {
"ssl_certificate_file": "/monkey_island_data/my_cert.crt",
"ssl_certificate_key_file": "/monkey_island_data/my_key.key"
}
}
```
1. Run the container with a mounted volume, specify the path to the `server_config.json`:
```bash
sudo docker run \
--rm \
--name monkey-island \
--network=host \
--user "$(id -u ${USER}):$(id -g ${USER})" \
--volume "$(realpath ./monkey_island_data)":/monkey_island_data \
guardicore/monkey-island:VERSION --setup-only --server-config="/monkey_island_data/server_config.json"
```
1. Access the Monkey Island web UI by pointing your browser at
`https://localhost:5000`.
### Change logging level
1. Stop the docker container if it's already running.
1. Modify the [server configuration file](../../reference/server_configuration) by adding the following lines:
```json
{
"log_level": "INFO"
}
```
1. Run the container with a mounted volume, specify the path to the `server_config.json`:
```bash
sudo docker run \
--rm \
--name monkey-island \
--network=host \
--user "$(id -u ${USER}):$(id -g ${USER})" \
--volume "$(realpath ./monkey_island_data)":/monkey_island_data \
guardicore/monkey-island:VERSION --setup-only --server-config="/monkey_island_data/server_config.json"
```
1. Access the Monkey Island web UI by pointing your browser at
`https://localhost:5000`.
## Upgrading
Currently, there's no "upgrade-in-place" option when a new version is released.
To get an updated version, download it, stop and remove the current Monkey
Island and MongoDB containers and volumes, and run the installation commands
again with the new file.
To get an updated version, download it, stop the current container and run the
installation commands again with the new file.
If you'd like to keep your existing configuration, you can export it to a file
using the *Export config* button and then import it to the new Monkey Island.
@ -176,7 +152,7 @@ to store data in the `monkey-mongo` container.
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xee in position 0: invalid continuation byte
```
Starting a new container from the `guardicore/monkey-island:VERSION` image
Starting a new container from the `guardicore/monkey-island:1.10.0` image
generates a new secret key for storing sensitive information in MongoDB. If you
have an old database instance running (from a previous instance of Infection
Monkey), the data stored in the `monkey-mongo` container has been encrypted

103
docs/content/setup/linux.md
View File

@ -14,60 +14,25 @@ package that contains an application and everything that it may need to run.
The Infection Monkey AppImage package should run on most modern Linux distros that have FUSE
installed, but the ones that we've tested are:
- BlackArch 2020.12.01
- Kali 2021.2
- Parrot 4.11
- Rocky 8
- openSUSE Leap 15.3
- Ubuntu Bionic 18.04
- Ubuntu Focal 20.04
- Ubuntu Hirsute 21.04
On Windows, AppImage can be run in WSL 2.
- CentOS
- Debian
- Kali
- Ubuntu 18.04
- Ubuntu 20.04
## Deployment
1. Make the AppImage package executable:
```bash
chmod u+x InfectionMonkey-v1.13.0.AppImage
chmod u+x Infection_Monkey_v1.11.0.AppImage
```
1. Start Monkey Island by running the Infection Monkey AppImage package:
```bash
./InfectionMonkey-v1.13.0.AppImage
./Infection_Monkey_v1.11.0.AppImage
```
1. Access the Monkey Island web UI by pointing your browser at
`https://localhost:5000`.
{{% notice info %}}
If you're prompted to delete your data directory and you're not sure what to
do, see the [FAQ]({{< ref
"/faq/#i-updated-to-a-new-version-of-the-infection-monkey-and-im-being-asked-to-delete-my-existing-data-directory-why"
>}}) for more information.
{{% /notice %}}
## Running the Infection Monkey as a service on boot
The Infection Monkey can be installed as a service and run on boot by running the AppImage package
with the following parameters. This requires root permissions, so run `sudo -v` and enter your
password before running the script, if required.
```bash
./InfectionMonkey-v1.13.0.AppImage service --install --user <USERNAME>
```
To uninstall it, run:
```bash
./InfectionMonkey-v1.13.0.AppImage service --uninstall
```
## Configuring the server
You can configure the server by creating
a [server configuration file](../../reference/server_configuration) and
providing a path to it via command line parameters:
`./InfectionMonkey-v1.13.0.AppImage --server-config="/path/to/server_config.json"`
### Start Monkey Island with user-provided certificate
By default, Infection Monkey comes with a [self-signed SSL
@ -76,7 +41,13 @@ enterprise or other security-sensitive environments, it is recommended that the
user provide Infection Monkey with a certificate that has been signed by a
private certificate authority.
1. Terminate the Island process if it's already running.
1. Run the Infection Monkey AppImage package with the `--setup-only` flag to
populate the `$HOME/.monkey_island` directory with a default
`server_config.json` file.
```bash
./Infection_Monkey_v1.11.0.AppImage --setup-only
```
1. (Optional but recommended) Move your `.crt` and `.key` files to
`$HOME/.monkey_island`.
@ -88,42 +59,30 @@ private certificate authority.
chmod 600 <PATH_TO_CRT_FILE>
```
1. Create a [server configuration file and provide the path to the certificate](../../reference/server_configuration).
The server configuration file should look something like:
1. Edit `$HOME/.monkey_island/server_config.json` to configure Monkey Island
to use your certificate. Your config should look something like this:
```json
```json {linenos=inline,hl_lines=["11-14"]}
{
"ssl_certificate": {
"ssl_certificate_file": "$HOME/.monkey_island/my_cert.crt",
"ssl_certificate_key_file": "$HOME/.monkey_island/my_key.key"
}
"data_dir": "~/.monkey_island",
"log_level": "DEBUG",
"environment": {
"server_config": "password",
"deployment": "linux"
},
"mongodb": {
"start_mongodb": true
},
"ssl_certificate": {
"ssl_certificate_file": "<PATH_TO_CRT_FILE>",
"ssl_certificate_key_file": "<PATH_TO_KEY_FILE>"
}
}
```
1. Start Monkey Island by running the Infection Monkey AppImage package:
```bash
./InfectionMonkey-v1.13.0.AppImage --server-config="/path/to/server_config.json"
```
1. Access the Monkey Island web UI by pointing your browser at
`https://localhost:5000`.
### Change logging level
1. Terminate the Island process if it's already running.
1. Create a [server configuration file](../../reference/server_configuration).
The server configuration file should look something like:
```json
{
"log_level": "INFO"
}
```
1. Start Monkey Island by running the Infection Monkey AppImage package:
```bash
./InfectionMonkey-v1.13.0.AppImage --server-config="/path/to/server_config.json"
./Infection_Monkey_v1.11.0.AppImage
```
1. Access the Monkey Island web UI by pointing your browser at

75
docs/content/setup/vmware.md Normal file
View File

@ -0,0 +1,75 @@
---
title: "VMware"
date: 2020-05-26T20:57:14+03:00
draft: false
pre: '<i class="fas fa-laptop-code"></i> '
weight: 3
tags: ["setup", "vmware"]
---
## Deployment
1. Deploy the Infection Monkey OVA by choosing **Deploy OVF Template** and
following the wizard instructions. *Note: make sure ports 5000 and 5001 on
the machine are accessible for inbound TCP traffic.*
1. Turn on the Infection Monkey VM.
1. Log in to the machine with the following credentials:
1. Username: **monkeyuser**
1. Password: **Noon.Earth.Always**
1. For security purposes, it's recommended that you change the machine
passwords by running the following commands: `sudo passwd monkeyuser`, `sudo
passwd root`.
## OVA network modes
You can use the OVA in one of two modes:
1. In a network with the DHCP configured — In this case, the Monkey Island will
automatically query and receive an IP address from the network.
1. With a static IP address — In this case, you should log in to the VM console
with the username `monkeyuser` and the password `Noon.Earth.Always`. After logging
in, edit the Netplan configuration by entering the following command in the
prompt:
```sh
sudo nano /etc/netplan/00-installer-config.yaml
```
Make the following changes:
```diff
# This is the network config written by 'subiquity'
network:
ethernets:
ens160:
- dhcp4: true
+ dhcp4: false
+ addresses: [XXX.XXX.XXX.XXX/24]
+ gateway4: YYY.YYY.YYY.YYY
+ nameservers:
+ addresses: [1.1.1.1]
version: 2
```
Replace `XXX.XXX.XXX.XXX` with the desired IP addess of the VM. Replace
`YYY.YYY.YYY.YYY` with the default gateway.
Save the changes then run the command:
```sh
sudo netplan apply
```
If this configuration does not suit your needs, see
https://netplan.io/examples/ for more information about how to configure
Netplan.
## Upgrading
Currently, there's no "upgrade-in-place" option when a new version is released.
To get an updated version, download the updated OVA file.
If you'd like to keep your existing configuration, you can export it to a file
using the *Export config* button and then import it to the new Monkey Island.
![Export configuration](../../images/setup/export-configuration.png "Export configuration")

62
docs/content/setup/windows.md
View File

@ -9,10 +9,6 @@ tags: ["setup", "windows"]
## Deployment
{{% notice tip %}}
Don't get scared if the Infection Monkey gets [flagged as malware during the installation](/faq/#is-the-infection-monkey-a-malwarevirus).
{{% /notice %}}
After running the installer, the following prompt should appear on the screen:
![Windows installer screenshot](../../images/setup/windows/installer-screenshot-1.png "Windows installer screenshot")
@ -20,58 +16,38 @@ After running the installer, the following prompt should appear on the screen:
1. Follow the steps to complete the installation.
1. Run the Monkey Island by clicking on the desktop shortcut.
{{% notice info %}}
If you're prompted to delete your data directory and you're not sure what to
do, see the [FAQ]({{< ref
"/faq/#i-updated-to-a-new-version-of-the-infection-monkey-and-im-being-asked-to-delete-my-existing-data-directory-why"
>}}) for more information.
{{% /notice %}}
>
## Configuring the server
You can configure the server by editing [the configuration
file](../../reference/server_configuration) located in installation directory.
The default path is
`C:\Program Files\Guardicore\Monkey Island\monkey\monkey_island\cc\server_config.json`.
### Start Monkey Island with user-provided certificate
### Start Monkey Island with user-provided certificcate
By default, Infection Monkey comes with a [self-signed SSL certificate](https://aboutssl.org/what-is-self-sign-certificate/). In
enterprise or other security-sensitive environments, it is recommended that the
user provide Infection Monkey with a certificate that has been signed by a
private certificate authority.
1. If you haven't already, run the Monkey Island by clicking on the desktop
shortcut. This will populate MongoDB, as well as create and populate
`%AppData%\monkey_island`.
1. Stop the Monkey Island process.
1. (Optional but recommended) Move your `.crt` and `.key` files to `%AppData%\monkey_island`.
1. Modify the `server_config.json` (by default located in `C:\Program Files\Guardicore\Monkey Island\monkey\monkey_island\cc\server_config.json`) by adding the following lines:
```json
1. Edit `%AppData%\monkey_island\server_config.json` to configure Monkey Island
to use your certificate. Your config should look something like this:
```json {linenos=inline,hl_lines=["11-14"]}
{
...
"ssl_certificate": {
"ssl_certificate_file": "%AppData%\\monkey_island\\my_cert.crt",
"ssl_certificate_key_file": "%AppData%\\monkey_island\\my_key.key"
"log_level": "DEBUG",
"environment": {
"server_config": "password",
"deployment": "windows"
},
...
"mongodb": {
"start_mongodb": true
},
"ssl_certificate": {
"ssl_certificate_file": "<PATH_TO_CRT_FILE>",
"ssl_certificate_key_file": "<PATH_TO_KEY_FILE>"
}
}
```
1. Run the Monkey Island by clicking on the desktop shortcut.
1. Access the Monkey Island web UI by pointing your browser at
`https://localhost:5000`.
### Change logging level
1. Stop the Island server.
1. Modify the `server_config.json` (by default located in `C:\Program Files\Guardicore\Monkey Island\monkey\monkey_island\cc\server_config.json`) by adding the following lines:
```json
{
...
"log_level": "INFO",
...
}
```
1. Run the Monkey Island by clicking on the desktop shortcut.
1. Access the Monkey Island web UI by pointing your browser at
`https://localhost:5000`.
## Troubleshooting

2
docs/content/usage/_index.md
View File

@ -10,4 +10,4 @@ pre = '<i class="fas fa-users-cog"></i> '
If you're new to the Infection Monkey, check out our [Getting Started](getting-started) page.
If you haven't downloaded the Infection Monkey yet, {{% button href="https://www.akamai.com/infectionmonkey#download" icon="fas fa-download" %}}Get Infection Monkey here{{% /button %}}!
If you haven't downloaded the Infection Monkey yet, {{% button href="https://www.guardicore.com/infectionmonkey/#download" icon="fas fa-download" %}}Get Infection Monkey here{{% /button %}}!

4
docs/content/usage/configuration/basic-network.md
View File

@ -8,7 +8,5 @@ description: "Configure settings related to the Monkey's network activity."
Here you can control multiple important settings, such as:
* Network propagation depth - How many hops from the base machine will the Infection Monkey spread?
* Scan Agent's networks - Should the Infection Monkey attempt to attack any machine in its subnet?
_Be careful when using this option. If a machine is connected to a public network, then the agent will scan the public network!_
* Local network scan - Should the Infection Monkey attempt to attack any machine in its subnet?
* Scanner IP/subnet list - Which specific IP ranges should the Infection Monkey should try to attack?

37
docs/content/usage/file-checksums.md
View File

@ -6,7 +6,7 @@ weight: 100
pre: "<i class='fas fa-certificate'></i> "
---
The official distribution of Infection Monkey is compiled and supplied by Guardicore ([download from our official site here](https://www.akamai.com/infectionmonkey#download)). The team signs all software packages to certify that a particular Infection Monkey package is a valid and unaltered Infection Monkey release. Before installing Monkey, you should validate the package using the SHA-256 checksum.
The official distribution of Infection Monkey is compiled and supplied by Guardicore ([download from our official site here](https://www.guardicore.com/infectionmonkey/#download)). The team signs all software packages to certify that a particular Infection Monkey package is a valid and unaltered Infection Monkey release. Before installing Monkey, you should validate the package using the SHA-256 checksum.
## How to get SHA-256 checksum
@ -37,45 +37,24 @@ $ sha256sum monkey-linux-64
| Filename | Type | Version | SHA256 |
|------------------------------------------------------|-------------------|---------|--------------------------------------------------------------------|
| monkey-windows-64.exe | Windows Agent | 1.13.0 | `3EDD20DE2247047C8A822C84145981936CE2FD0BDF843EB5CA777CA4D2478B35` |
| monkey-windows-32.exe | Windows Agent | 1.13.0 | `7497907E3CF4FFEB121A7795BFA16709800E6E0F99770F64AF7FFF684ECBA6D6` |
| monkey-linux-64 | Linux Agent | 1.13.0 | `F21E709CB7BA8DAF90B908AF5FE485BA43866C325D3C7CE1EB07E8A2323E07C1` |
| monkey-linux-32 | Linux Agent | 1.13.0 | `24C5779825F26C76A8910794836647096F4BB4B47CFD6AD213CC48116D140FAB` |
| InfectionMonkey-v1.13.0.AppImage | Linux Package | 1.13.0 | `CDED4E8394A4D2A809BA9B74B924AEA590317515B9B032BA8005A93DFCE1C861` |
| InfectionMonkey-docker-v1.13.0.tgz | Docker | 1.13.0 | `342701BA8EC5B754C59685896FC3DCDBB93362FFFAD0EC7F9E2E5B99DA26F5EC` |
| InfectionMonkey-v1.13.0.exe | Windows Installer | 1.13.0 | `D35ED6CAF21AC786D9A438510282FA07AEF812590A5E6405A01F2B06661B33B9` |
## Older checksums
| Filename | Type | Version | SHA256 |
|------------------------------------------------------|-------------------|---------|--------------------------------------------------------------------|
| monkey-windows-64.exe | Windows Agent | 1.12.0 | `02e5e051a96e2ca61ae8e661b3a5828ee53a0fc00aca6502d5c73a46754f0d07` |
| monkey-windows-32.exe | Windows Agent | 1.12.0 | `3c10f610f47c4fd227cf85f6bf800d66ed31fe37dc2e2ed408860483685ba504` |
| monkey-linux-64 | Linux Agent | 1.12.0 | `1ad52eabd704a9b0fbf642fa552629f30d3c5c27e431a687bd4cba4e0104d3f7` |
| monkey-linux-32 | Linux Agent | 1.12.0 | `d941943046db48cf0eb7f11e144a79749848ae6b50014833c5390936e829f6c3` |
| InfectionMonkey-v1.12.0.AppImage | Linux Package | 1.12.0 | `1325f2aa1d0c27aec2e2f9864ed53c53c524bd208313f87ea6606f59c90ff310` |
| InfectionMonkey-docker-v1.12.0.tgz | Docker | 1.12.0 | `dcaf669411d55ea6883920597af4a35f3735a286801e08b6ef047cc91ff32769` |
| InfectionMonkey-v1.12.0.exe | Windows Installer | 1.12.0 | `4d6e0373be3615a4b97721a07d2a854f6316d1ce8c4ff6d6495aac3a8f2c6a69` |
| monkey-windows-64.exe | Windows Agent | 1.11.0 | `12c55377381a8fc7d8ff731db52302ef2f8bb894d8712769e5a91a140ba22b0a` |
| monkey-windows-32.exe | Windows Agent | 1.11.0 | `e006b26663f59b92bad8d49b034cd8101dd481f881e3c4839a9c1e64fd99e849` |
| monkey-linux-64 | Linux Agent | 1.11.0 | `fb4c979ce6c29bb458be50a44cc6839650826b831da849da69a05dfefdc66462` |
| monkey-linux-32 | Linux Agent | 1.11.0 | `88d6d717f99047ae6f8ff9527b41ff004217c99b1b027f112d062dd9e66d11ab` |
| Infection_Monkey-1.11.0-x86_64.AppImage | Linux Package | 1.11.0 | `6312b6bff18c11c7db694f42cf5a41e894786c39e3e093b6b15abcbff80337f2` |
| infection_monkey_docker_20210811_211212.tgz | Docker | 1.11.0 | `40f203387cadd153f97c6a21dfdddacd4d4eeea334a9300d862bfb4ba528e2e6` |
| Monkey Island v1.11.0_3789.exe | Windows Installer | 1.11.0 | `20633c1993ea5f86b57b3a48d6875e8f72881f856f4713d747f07a559da05ccc` |
| monkey-windows-64.exe | Windows Agent | 1.10.0 | `3b499a4cf1a67a33a91c73b05884e4d6749e990e444fa1d2a3281af4db833fa1` |
| monkey-windows-32.exe | Windows Agent | 1.10.0 | `8e891e90b11b97fbbef27f1408c1fcad486b19c612773f2d6a9edac5d4cdb47f` |
| monkey-linux-64 | Linux Agent | 1.10.0 | `932f703510b6484c3824fc797f90f99722e38a7f8956cf6fa58fdecb3790ab93` |
| monkey-linux-32 | Linux Agent | 1.10.0 | `a6de7d571051292b9db966afe025413dc20b214c4aab53e48d90d8e04264f4f5` |
| infection_monkey_deb.tgz | Debian Package | 1.10.0 | `534d85c4abc78e2c86a74d8b88759b091b62077dd9e32f02eeb43d716d359ff6` |
| infection_monkey_debzt.tgz | Debian Package | 1.10.0 | `bd01d8482f80990e6cc0ed654c07dbd80da71eebe3dd244365e9bc00f86b1c03` |
| Monkey Island v1.10.0_3593_windows.exe | Windows Installer | 1.10.0 | `ebd2c5627d21dd8670def02c3a5a995f9e799ba567cf4caacd702654264ddf06` |
| Monkey Island v1.10.0_3593_windows.exe | Windows Installer | 1.10.0 | `ebd2c5627d21dd8670def02c3a5a995f9e799ba567cf4caacd702654264ddf06` |
| Monkey Island v1.10.0_3593_windowszt.exe | Windows Installer | 1.10.0 | `60aaf3b32e5d06c91fe0d4f1b950529517ac33796f67e9ccfef0e8ce1c5372d8` |
| infection_monkey_docker_docker_20210326_171631.tgz | Docker | 1.10.0 | `e4f9c7c5aafe7e38b33d2927a9c0cf6a3ac27858d3d0e3f2252c2e91809a78db` |
| infection_monkey_docker_dockerzt_20210326_172035.tgz | Docker | 1.10.0 | `248640e9eaa18e4c27f67237f0594d9533732f372ba4674d5d1bea43ab498cf5` |
| monkey-island-vmware.ova | OVA | 1.10.0 | `3472ad4ae557ddad7d7db8fbbfcfd33c4f2d95d870b18fa4cab49af6b562009c` |
| monkey-island-vmwarezt.ova | OVA | 1.10.0 | `3472ad4ae557ddad7d7db8fbbfcfd33c4f2d95d870b18fa4cab49af6b562009c` |
## Older checksums
| Filename | Type | Version | SHA256 |
|------------------------------------------------------|-------------------|---------|--------------------------------------------------------------------|
| monkey-windows-64.exe | Windows Agent | 1.9.0 | `24622cb8dbabb0cf4b25ecd3c13800c72ec5b59b76895b737ece509640d4c068` |
| monkey-windows-32.exe | Windows Agent | 1.9.0 | `67f12171c3859a21fc8f54c5b2299790985453e9ac028bb80efc7328927be3d8` |
| monkey-linux-64 | Linux Agent | 1.9.0 | `aec6b14dc2bea694eb01b517cca70477deeb695f39d40b1d9e5ce02a8075c956` |

5
docs/content/usage/getting-started.md
View File

@ -7,14 +7,11 @@ pre: "<i class='fas fa-play-circle'></i> "
tags: ["usage"]
---
<!-- TODO: Update screenshots -->
If you haven't deployed the Monkey Island yet, please [refer to our setup documentation](/setup).
## Using the Infection Monkey
After deploying the Monkey Island in your environment, navigate to `https://<server-ip>:5000`.
After deploying the Monkey Island in your environment, navigate to `https://<server-ip>:5000`.
### First-time login

Some files were not shown because too many files have changed in this diff Show More